Privacy Policy

(Last Updated: June 17, 2025)

JC Portable Site Accommodation Ltd (referred to as “JCPSA”, “we”, or “us”) is committed to protecting your privacy and complying with applicable data protection laws in the United Kingdom and the European Union. This Privacy Policy explains how we collect, use, and safeguard your personal data when you visit our website (including our WooCommerce online store at www.jcpsa.co.uk), communicate with us (e.g. via contact forms, live chat, WhatsApp widget, callback requests), or purchase our products and services. It also outlines your rights under the UK General Data Protection Regulation (UK GDPR) and EU General Data Protection Regulation (EU GDPR), and how you can exercise those rights.

By using our website or services, you agree to the collection and use of information as described in this Privacy Policy. Terms used in this Policy have the same meanings as in our Terms & Conditions unless otherwise defined here.

1. Who We Are

Data Controller: The data controller for your personal information is JC Portable Site Accommodation Ltd, a company registered in England (Company No. 07698496). Our registered office is at Chichester Enterprise Centre, Terminus Road, Chichester, West Sussex, PO19 8FY, United Kingdom. You can contact us using the details in the Contact Us section below.

2. Definitions

For the purposes of this Policy:

• “Personal Data” (also referred to as “Personally Identifiable Information”) means any information relating to an identified or identifiable individual. This includes information such as your name, email address, telephone number, postal address, IP address, or any other data that can be used to identify you.
• “Non-Personal Information” means information that cannot be used to identify an individual, such as aggregated data or device information without personal identifiers. (For example, general website usage statistics that do not reveal who you are.)

3. Information We Collect

We collect information at different touchpoints as outlined below. You always have a choice in what information to provide, but not providing certain details may limit our ability to respond to your inquiries or fulfill your orders.

      3.1. Information You Provide to Us

• Contact and Inquiry Data: If you contact us via our “Get a Quote” form, contact form, live chat, WhatsApp widget, or request a callback, we will ask for personal data such as your name (first and last), email address, phone number, and any information you choose to include in your message. We use this data to respond to your inquiry, provide the requested information or quote, and follow up with you regarding your interest (for example, to offer relevant products or services in line with your inquiry). We do not request or require sensitive personal information for general inquiries – typically just basic contact details as listed.
• Account and Order Data: If you create an account on our online store or make a purchase/hire: we will collect your name, email, phone number, billing and delivery address, and company name (if applicable) during checkout or account registration. This information is necessary to process your order, arrange delivery/installation, and provide customer support. We may also collect payment details such as credit/debit card information; however, note that we do not store full card numbers or security codes on our systems, as payments are processed securely by an accredited third-party payment processor (see section 5 on data sharing). For certain transactions (e.g. long-term rentals or financing agreements), we might request additional identification details (such as a form of ID number or company registration number) if required for verification or legal purposes. Any such data will be provided directly by you and used only for the specified verification purpose.
• Payment Information: If you make a purchase or payment through our Website, you will be redirected to our third-party payment provider (Tyl by NatWest) to enter your payment details. We do not collect or store your card or bank details on our servers. All payment details are provided directly to Tyl by NatWest on their secure payment page, not to us. Tyl by NatWest will process your payment information solely for the purpose of completing the transaction for our products or services. (See the “Payment Processing” section below for more details.)
• Customer Communications: If you are a customer, we may collect information when you communicate with us about your order or service (for example, if you send an email with a support query or call our customer service). This may include the content of your communications and any additional contact information you provide. We use this to assist you and improve our services.
• Newsletter Signup: If you subscribe to our newsletter or expressly consent to receive marketing emails, we will collect your name and email address. We use this to send you news about our products, promotions, or updates. (You can opt out at any time – see section 8 on your rights and Opt-Out below.)

     3.2. Information We Collect Automatically

When you visit our website, certain data is collected automatically about your device and browsing activities. This data is generally non-personal, but may be or become personal data when combined with other information. The automatically collected information includes:

• Cookies and Similar Technologies: Our website uses cookies and similar tracking technologies to enhance your experience and gather usage data. Cookies are small text files placed on your device that allow the site to remember your preferences, login status, shopping cart contents, and other information on repeat visits. We use cookies for functions such as: keeping you logged in, storing cart items, and personalizing content. We also use analytics and advertising cookies (described below) to understand site usage and market our services. We do not store sensitive personal information in cookies, and you can control cookies through your browser settings. (However, disabling all cookies may affect site functionality.) For more details, see Section 4.1 (Cookies and Caching).
• Device and Log Information: Our servers automatically record Log Data when you visit the site. This includes data such as your device’s IP address, browser type and version, operating system, the pages you visit on our site, the date/time of access, and the previous website or referral source that brought you to our site. . For example, our content delivery and security provider Cloudflare may collect your IP address and use it to derive your approximate geographic location at a country or region level (we do not obtain your precise GPS location). We use this information for IT security, to diagnose technical problems, and to analyze traffic trends (e.g. which pages are most visited) in order to improve our website’s design and content. This log data is generally anonymous, but it might be linked to your account or inquiry if necessary to troubleshoot issues or prevent fraud.
• Analytics Data: We use third-party analytics tools (such as Google Analytics) to collect information about how visitors use our website. These tools use cookies and scripts to gather information such as what pages you visit, how long you stay, how you interact with page elements, and general geographic location (e.g. country or city). This information helps us understand user behavior and improve our website and marketing. The data collected by Google Analytics may include your IP address (though we have configured Google Analytics to anonymize IP addresses where possible). Please note that Google may process this data on servers outside your country (including in the United States), but Google is certified under the EU-U.S. Data Privacy Framework for transfers of personal data. Analytics cookies are not strictly necessary and will only be used with your consent where required by law (e.g. if you are in the EU/UK, you will be offered a choice through our cookie consent banner). You can also opt out of Google Analytics by installing Google’s opt-out browser add-on.
• Advertising and Tracking Data: We may use advertising pixels or tags (such as Google Ads/AdWords conversion tracking and Google Ads remarketing cookies) to measure the effectiveness of our ads and to serve you targeted advertisements about our products on other platforms. For example, if you visit our site, Google’s cookie may note this and allow us to show you an advertisement later on Google’s network. These tools collect information about your visit (such as the pages you viewed or products you showed interest in). In the future, we may also utilize similar tools from social media platforms (e.g. a Facebook/Meta Pixel) to reach users on those platforms with relevant offers. Such tracking technologies will also only be activated with consent where legally required. You can manage your ad preferences directly on those platforms (for example, Google Ads Settings or Facebook Ad Preferences) to limit targeted advertising.
• reCAPTCHA (Spam Protection): To protect our site from spam and abuse, we use Google’s reCAPTCHA on certain forms (e.g. account registration or login). reCAPTCHA analyzes user behavior (e.g. mouse movements or puzzle challenges) and collects hardware and network information (such as IP address and device identifiers) to determine whether the input is made by a human. This data is sent to Google for verification. Use of reCAPTCHA is subject to the Google Privacy Policy and Terms of Service. We implement reCAPTCHA only for security purposes to prevent automated bots, and the information collected will not be used for any other purpose.

Note: We do not knowingly use any cookies or trackers that collect personally identifying information without your consent. If our site’s source code is updated to include additional third-party tools in the future, we will update this Policy accordingly. You can review and adjust your cookie preferences at any time via your browser or (if available) our site’s cookie consent manager.

     3.3.  Children’s Privacy

Our website and services are not directed to children. We do not knowingly solicit or collect personal data from individuals under the age of 13 (or under the age of consent defined by applicable data protection law, which is 13 in the UK and typically 16 in the EU). In fact, our products (portable and modular buildings) and online services are intended for adults or businesses. If you are under 13, please do not submit any personal information to us. If we become aware that we have inadvertently received personal information from a child under 13 (for example, via a general inquiry), we will delete such information promptly. Parents or guardians who believe we might have information about a child under 13 may contact us to review or delete it. (Where a child aged 13–16 has provided personal data with consent in the EU, and we need to rely on parental consent by law, we will take steps to obtain the parent’s consent or delete the data.)

4. How We Use Your Information

We use personal data for the following purposes, and we ensure that we have an appropriate legal basis for each use (see Section 6 on Legal Bases):

• Providing Our Services: We use your information to carry out our obligations to you. This includes processing orders and payments, arranging deliveries or installations, and providing products or services you have requested. For example, we use your contact and address details to deliver your purchased unit to the correct location, and we might use your email or phone to send service updates (e.g. order confirmations, invoices, delivery schedules).
• To Process Payments: All online payments on our Website are processed by Tyl by NatWest, a secure third-party payment service provided by National Westminster Bank (NatWest). When you proceed to make a payment, you will be securely redirected to a payment page hosted by Tyl by NatWest. There, you will enter your credit/debit card or other payment details. We do not see, collect, or store your full payment card information; that information is handled directly by Tyl by NatWest on their encrypted payment platform.

Tyl by NatWest employs industry-standard security measures (such as SSL/TLS encryption and 3D Secure authentication) to safeguard your payment data during the transaction. Once your payment is processed, we receive a confirmation from Tyl by NatWest so we can complete your order (for example, to know that payment was successful). The personal information we receive in that process is limited to what we need, such as your name, contact details, and the amount/status of the transaction – we never receive your card number or bank account details.

Tyl by NatWest processes your payment information only for the purpose of processing your payment for our products and services. This processing is done under the lawful basis of “contract” – it is necessary in order to fulfill the purchase you initiated. If you would like to learn more about how Tyl by NatWest handles your data, you can refer to NatWest’s Privacy Policy on their website. We trust Tyl by NatWest as a reputable payment provider to keep your payment details secure and confidential.

By making a purchase through our Website, you consent to your information being shared with Tyl by NatWest as needed to process the payment. If you have any questions about payment security or procedures, feel free to contact

• Responding to Inquiries and Customer Support: We process the personal data you provide in contact forms, emails, chats, or calls in order to respond to your requests or questions. For instance, if you request a quote or ask about a product, we will use the provided contact details and information to communicate with you and give you the requested information or proposal. If you are an existing customer, we may use your information to provide support, handle returns or complaints, or advise on maintenance and additional services.
• Marketing and Promotions: With appropriate permissions, we may use your contact information to send you marketing communications. This includes occasional newsletters, special offers, or product updates that we believe may be of interest. We typically send such communications via email. We rely on either your consent (e.g. if you signed up for our newsletter) or our legitimate interest in promoting our similar products to you if you’ve requested a quote or purchased from us (commonly known as a “soft opt-in”, in line with e-privacy laws). You will always have the opportunity to opt out of marketing messages. Every marketing email will contain an unsubscribe link, and you can also contact us at any time to be removed from our mailing list. We do not sell or share your contact details with third parties for their own marketing.
• Personalizing User Experience: We may use data about your interactions with our website to customize the content you see. For example, if you have an account or have engaged with certain product pages, we might highlight similar products or show relevant recommendations on our site. This personalization is generally based on site analytics and cookies, and is intended to make your experience more relevant.
• Improving Our Website and Services: We use aggregated usage data, analytics, and customer feedback to improve our offerings. For instance, data from Google Analytics helps us understand which pages are confusing or underperforming, so we can redesign them. We use third-party analytics and caching tools (like Cloudflare and LiteSpeed Cache) to help with this, in a privacy-conscious way (IP addresses used for analytics through Cloudflare are anonymized to only give us broad insights, such as visitor counts by country). This information helps us optimize loading speeds, tailor our content, and troubleshoot technical issues. Feedback or inquiries can indicate common interests or issues, guiding us to develop new features or support content. We may also use data aggregation techniques – combining and anonymizing data – to generate insights. For example, we might aggregate overall sales figures or website traffic patterns and analyze them to make business decisions. These aggregated statistics do not identify individuals and may be shared with service providers or used in business strategy, but your personal identity and information remain protected in this process.
• Security and Fraud Prevention: Your information is also used to protect our website, business, and other users. For example, we might use log data (including IP addresses) and cookies to detect and prevent fraudulent transactions, spam submissions, or malicious attacks. For instance, our security systems (including Cloudflare’s protections) may use this information to detect and block DDoS attacks, bots, or other suspicious behavior. If we observe unusual activity on your account, we may use your contact info to verify with you. We also use reCAPTCHA and similar tools (as noted) to keep automated bots off our site. All these measures are in place to maintain the integrity and security of our services.
• Legal Compliance: In some cases, we need to process personal data to comply with legal obligations. This includes keeping proper records of transactions for tax and accounting purposes, verifying identities for anti-fraud or anti-money laundering regulations if applicable, and responding to lawful requests by public authorities (e.g. court orders or regulatory inquiries). For example, UK tax law may require us to retain invoice information (which contains personal data) for a minimum period. We will also use and retain data as necessary to assert or defend our legal rights (for instance, information related to a warranty claim or a dispute).

We will not use your personal data for purposes that are incompatible with those listed above without seeking your consent or notifying you, as required by law. We do not engage in any automated decision-making, including profiling, that produces legal effects or similarly significant effects on you, as defined under GDPR. Any profiling we do (such as categorizing customers by region or industry to tailor offers) is done in a non-intrusive way and with human review.

     4.1. Cookies and Caching

We use cookies, web storage objects and edge‑caching technologies to make our WooCommerce store fast, secure and personalised. When you first land on jcpsa.co.uk you will see a banner that lets you toggle five optional categories (Functional, Analytics, Performance, Advertisement, Uncategorized). “Necessary” cookies are always on because the site cannot run without them. You may revisit your preferences at any time via the “Cookie Settings” link in the footer; changes take effect immediately but will not remove cookies already stored — you may clear those in your browser.

Necessary Cookies (Strictly Necessary – Legitimate Interest)

These cookies are essential for the website’s core functionality, security, or user-requested features. They do not require consent under GDPR, as they are set based on legitimate interests (or to fulfill user requests).

Functional Cookies (Site Features – Consent)

Functional cookies help enable enhanced features on the site (like media, chat preferences, or social sharing). JCPSA.co.uk does not currently use any functional cookies aside from those classified as necessary above. (No additional functional cookies were identified in the audit.)

Analytics Cookies (Usage Statistics – Consent)

These cookies collect information about how visitors use the website (page views, traffic sources, user behavior) to help improve services and user experience. They are only set with user consent.

Note: Analytics cookies are not set until you consent to analytics in the cookie banner. All analytics data collected (e.g., via Google Analytics, Lucky Orange, Clarity) is anonymous and used in aggregate form to improve the website’s performance and content.

Performance Cookies (Site Performance – Consent)

Performance cookies would be used to measure website speed or enhance performance. JCPSA.co.uk does not use any performance-specific cookies (no performance cookies were identified on the site).

Advertisement/Marketing Cookies (Advertising – Consent)

These cookies are used to track visitors across websites and deliver more relevant advertisements, or to measure the effectiveness of ad campaigns. They are only set with user consent (opt-in via the cookie banner).

Uncategorized Cookies

All cookies on JCPSA.co.uk have been classified into standard categories. At present, no uncategorized “Other” cookies remain – every cookie in use is accounted for in the categories above. (If any new or unknown cookies appear, they will be listed and described here once identified.)

     4.2. Edge‑Caching and CDN Processing

• Cloudflare reverses‑proxy all HTTP/S requests. Every request routes through the nearest Cloudflare data‑centre, where your IP address and user‑agent are logged for ≤25 hours to mitigate DDoS and apply rate‑limiting. Cloudflare Docs
• LiteSpeed Cache stores a copy of rendered pages on our origin server; cache items purge automatically when content changes or after the expiration period noted above. Vary‑cookies ensure logged‑in users see dynamic pages. cookiedatabase.org
• QUIC.cloud holds minified CSS/JS and WebP/AVIF images on its global PoPs for up to 7 days, after which files are flushed or refreshed. Only hashed URLs and generic visitor logs are processed. QUIC.cloud

All CDN transactions occur over TLS 1.3; transport‑level encryption is enforced end‑to‑end (browser ⇄ Cloudflare ⇄ QUIC.cloud ⇄ origin).

     4.3. Managing Your Choices

• Toggle switches − Use the sliders in the consent panel to enable or disable Functional, Analytics, Performance, Advertisement or Uncategorized cookies.
• Browser controls − Most browsers let you delete cookies, block third‑party cookies or activate “Do Not Track”.
• Google opt‑outs − Install the Google Analytics Opt‑out Browser Add‑on or adjust Ads Personalisation in your Google account.

Rejecting optional cookies will not affect checkout or basic browsing, but certain features (live‑chat, recently viewed items, personalised speeds) may not function.

For more detailed information, you may contact us with any questions about specific cookies.

5. How We Share Your Information

We treat your personal data with care and confidentiality. We do not sell or rent your personal information to third-party marketers. However, in order to run our business and provide our services, we share your data with certain trusted third parties under strict conditions. The types of recipients of your data are as follows:

• Service Providers (Processors): These are third-party companies that help us operate our website and provide our services to you. We only share with them the information necessary for them to perform their functions, and they are contractually obligated to keep your data secure and use it only for our specified purposes. Key service providers we use include:
• Payment Processing: As described in the Payment Processing section, Tyl by NatWest securely processes all online payments for us. When you make a payment, your payment details are handled by Tyl by NatWest on their secure platform. We do not store your card information. Tyl by NatWest will only use your payment data to process the transaction and will then retain it as necessary for fraud prevention and regulatory compliance. Tyl by NatWest is PCI-DSS compliant and uses encryption and authentication measures to protect your card data. For transparency, you can review NatWest’s own privacy notice to see how they treat your information.

• Cloudflare (Content Delivery & Security): We use Cloudflare, a leading Content Delivery Network (CDN) and security provider, to enhance our website’s performance and protect it from malicious traffic. When you visit our Website, your browser may connect to a Cloudflare server nearest to you (Cloudflare has data centers worldwide) which serves cached versions of our website content. This helps pages load faster by shortening the distance data travels and reducing load on our origin server. In the process, Cloudflare will process certain information about your visit, such as your IP address, system configuration, and other technical data, in order to route and optimize the content delivery. Cloudflare also analyzes traffic to identify and block threats, like hackers or bots, before they reach our site. This means Cloudflare may place a cookie on your device to distinguish you as a legitimate user versus a suspicious source, and may collect analytics data (e.g. how many visitors we get, and broad location stats) which it shares with us in an aggregated form. We do not receive personal details about you from Cloudflare’s analytics – any IP information is anonymized or aggregated to general statistics (for example, we might see that we had X number of visitors from a certain country, but not who those visitors were). Cloudflare is headquartered in the United States, so using its services can involve transferring your data (like IP addresses or other technical identifiers) outside of the UK/EEA. However, Cloudflare has committed to protecting such data transfers by using approved safeguards (for example, Standard Contractual Clauses as per GDPR) and by participating in relevant data privacy frameworks. In summary, Cloudflare acts as our data processor for website optimization and security, and it only uses your data for those technical purposes and not for its own marketing. For more details, you can read Cloudflare’s Privacy Policy.

• LiteSpeed Cache & QUIC.cloud (Website Caching): Our Website runs on a web server technology called LiteSpeed, and we utilize the LiteSpeed Cache plugin to improve loading times. This caching system creates and stores temporary copies of our web pages on the server so that they can be delivered to you more quickly on subsequent requests. Cache files may include the content of pages you visit (which could indirectly include some of your information if you, for example, fill out a form that is then cached). However, all cached files are stored only for a short duration and are automatically purged on a schedule set by us. These cached copies are used solely to enhance performance and are never used to identify individuals. The cache is stored on our server and is not shared with or accessible to any third party, except the plugin provider for technical support if ever required. In conjunction with caching, we may use QUIC.cloud, a content delivery and optimization service associated with LiteSpeed. QUIC.cloud can serve cached content from a network of servers and process some site data temporarily to speed up delivery. For example, images or pages might be routed through QUIC.cloud’s CDN for faster loading. Any data processed by QUIC.cloud is transient – it acts as a conduit to cache and deliver content closer to users. QUIC.cloud’s privacy policy provides more information on how it handles any data during this process. In summary, the use of LiteSpeed Cache and QUIC.cloud is purely for technical performance enhancement: it helps us ensure you experience quick page loads and a smooth browsing experience. These services do not collect new personal information from you beyond what is described in “Information Collected Automatically,” and they adhere to privacy principles in handling cached data.
• Customer Relationship Management (CRM) & Communications: We manage our customer and inquiry data using Bitrix24, a CRM and customer support platform. When you fill out forms on our website (such as the contact form or quote request) or engage with our live chat/WhatsApp widget, your submitted information is securely transmitted to our Bitrix24 system. Bitrix24 helps us organize inquiries, track communications, and follow up with potential or existing customers. Bitrix24 acts as a data processor for us – it stores your contact details and communication history on our behalf. Our Bitrix24 instance is hosted in data centers within the European Union (Frankfurt, Germany) for compliance with GDPR. Bitrix24 does not use your data for any purposes except as needed to provide the CRM service to us. (Note: If you choose to communicate with us via the WhatsApp channel integrated in our Bitrix24 widget, your messages will also be processed by WhatsApp under WhatsApp’s own privacy policy, since WhatsApp is an external service. We will receive a record of those communications in our CRM. Similarly, if you reach out via social media or other integrated channels, those messages are subject to the respective platform’s terms in addition to our handling.)
• Website Hosting and IT Providers: Our website is hosted on servers provided by third-party hosting companies. In the normal course of hosting, these companies handle technical aspects of data storage and transmission. This means any personal information you submit to our website (e.g. via a form) will pass through and be stored on our host’s servers. We ensure our hosting provider has appropriate security measures in place. Additionally, we may use IT support providers or cloud backup services that could have incidental access to stored data (only as needed to fix issues or back up data). All such providers are bound by confidentiality and data protection obligations.
• Analytics and Advertising Partners: As noted in Section 3.2, we use services like Google Analytics and Google Ads. These services act as our processors for analytics/advertising data, or in some cases as independent controllers (for example, Google uses some data for its own purposes). We share site usage information (via tracking code) with Google Analytics to get reports on website traffic. We may also share hashed or anonymized data with advertising partners to reach the right audience. Any personal data in these contexts (like IP addresses or unique IDs) is minimized or pseudonymized where possible, and these partners are expected to comply with privacy frameworks (Google, for instance, adheres to the EU-U.S. Data Privacy Framework for data transfers). You can opt out of such data sharing as described earlier.
• Delivery and Logistics Partners: If your purchase includes physical delivery of units to your site, we will share the necessary details with logistics or transport companies that deliver on our behalf. This can include your name (or contact person name), delivery address, and contact phone number (so the driver can reach you if needed). We only provide what is needed for the delivery. These partners are typically independent data controllers for the information we provide to them (since they need to use it to fulfill the delivery), but they are also subject to privacy laws. We ensure we work with reputable delivery firms. Similarly, if an installation or service is performed by a third-party contractor, we will share the minimum required contact information with them to carry out their work.
• Affiliates and Business Partners: We do not currently have any parent or subsidiary companies, or joint venture partners, with whom we routinely share personal data. If that changes (for example, if we establish a branch or affiliate that will handle your data), we will update this policy. In some cases, we might refer a customer inquiry to a specialized partner (for instance, if you require a service we do not provide, like a specific financing option or a geographic agent). We would only pass your details to such a partner with your consent or at your direct request.
• Legal and Compliance: We may disclose personal information when required by law or necessary to protect legal rights. This includes scenarios such as:
  • Complying with a court order, subpoena, or other legal process.
  • Responding to lawful requests by public authorities, including to meet national security or law enforcement requirements.
  • Disclosing information to government agencies or regulators where required (e.g. tax authorities or data protection authorities).
  • Using or disclosing information as necessary to enforce our Terms and Conditions, to investigate or defend ourselves against legal claims, or to prevent fraud or abuse. For example, if someone attempts to perpetrate fraud, we may share data with law enforcement investigators.
  • Protecting rights, property, and safety: We may share information with relevant parties (such as law enforcement, cyber security consultants, etc.) if needed to protect the rights, property, or safety of JCPSA, our customers, our employees, or others.
• Business Transfers: If in the future our company is involved in a merger, acquisition, sale of assets, or reorganization, your personal data may be transferred to the successor or new owner as part of that transaction. If such a transfer occurs, the use of your personal information will still be governed by this Privacy Policy (unless you are notified of changes) and possibly by the privacy policy of the new entity. We would inform you of any change in data control and give you any choices your law provides.

We require all third parties with whom we share personal data to respect the security of your information and to treat it in accordance with the law. Where those third parties are processing data on our behalf (service providers acting as “processors”), we have written contracts in place to control how they handle the data and to ensure they only act on our instructions. In cases where third parties receive data as controllers (e.g. authorities or payment providers), we ensure we have a lawful basis to share the data and only share what is necessary.

6. Legal Bases for Processing (UK & EU GDPR)

We process personal data only when we have a valid legal basis to do so under data protection laws. Depending on the specific processing activity, one or more of the following legal bases apply:

• Performance of a Contract: We rely on this basis when we need to process your information to fulfill a contract with you or to take steps at your request before entering into a contract. For example, when you place an order, we process your payment and address details to deliver your product as part of our sales contract. Likewise, if you ask for a quote or information about our products, processing your contact details and requirements is necessary as a pre-contractual step (responding to your request).
• Legitimate Interests: We process certain data as necessary for our legitimate business interests, provided those interests are not overridden by your data protection rights. We have carefully balanced our interests with your rights. Examples of processing under legitimate interests include: using analytics and cookies to improve our website and understand usage; answering inquiries from prospective customers; sending marketing communications to existing customers about similar products (soft opt-in); preventing fraud and securing our website; or sharing data with our service providers to operate our business. In all cases, we only process data in ways you would reasonably expect and that have minimal privacy impact, or else we will inform you and obtain consent if required. You have the right to object to processing based on legitimate interests (see Section 8 on Your Rights).
• Consent: We will ask for your consent in situations where we are required to do so by law or where no other legal basis clearly applies. For instance, we seek your consent before setting non-essential cookies (such as advertising or analytics cookies) on your device, as per e-Privacy laws. Similarly, if you subscribe to our email newsletter through our website (without being an existing customer), we rely on your consent that you gave at the time of subscription. Where we process sensitive personal data (though we typically do not collect sensitive data like health or biometric data), we would obtain explicit consent unless another lawful exception applies. You have the right to withdraw consent at any time (which will not affect the lawfulness of processing before withdrawal).
• Legal Obligation: Some processing is necessary for us to comply with our legal obligations. For example, we must retain certain transaction records to satisfy financial reporting and tax laws, or respond to official requests when the law compels us. If you exercise certain rights under GDPR (like requesting data deletion or disclosure), we will process personal data to the extent required to comply with our legal obligations in responding to your request.
• Vital Interests: In a highly unlikely scenario, we might process personal data to protect someone’s life or physical safety (vital interests). For example, if a recall of a product were necessary for safety reasons, and it required using customer contact information urgently, this basis could apply. Fortunately, such situations are rare in our context.
• Public Interest: We do not typically process data for tasks carried out in the public interest (this basis usually applies to official authorities or certain research). It’s not applicable to our ordinary operations.

We will clearly inform you at the point of data collection what the primary purpose is and any additional purposes we might use your data for. If we intend to use or disclose your data for a new purpose that is not compatible with the original purpose, we will obtain your consent or provide notice as required by law.

7. International Data Transfers

JCPSA is a UK-based company that also serves customers in the EU. Consequently, your personal data may be transferred and stored across borders in the following contexts:

• Between the UK and EEA: We have operations in both the United Kingdom and Poland (EU). For example, if you are an EU customer, your inquiry might be handled by our customer care staff in Poland, meaning your data will be accessed in Poland (EEA). Likewise, data of EU customers may be stored on our UK servers or vice versa. The UK is currently recognized by the European Commission as providing an adequate level of data protection, which allows personal data to flow freely from the EEA to the UK at least until 27 December 2025 under the current adequacy decision. We comply with both UK GDPR and EU GDPR for such data. If for any reason the UK’s adequacy status changes in the future, we will implement appropriate safeguards (such as Standard Contractual Clauses) to ensure continued lawful transfers. Similarly, data sent from the UK to the EEA is permitted under UK law, as the UK has deemed EEA countries adequate for data transfer.
• Service Providers in Other Countries: Some of our external service providers are located outside the UK/EEA or may process data outside these regions. Notably, data collected by Google (Analytics or Ads) may be processed on servers in the United States or other countries. Also, if in the future we use a marketing tool or cloud service based in the U.S. or another country outside Europe, your data might be transferred to that country. When we transfer personal data internationally, we take steps to ensure an adequate level of protection in line with GDPR requirements. These steps may include:
  • Relying on an adequacy decision for the destination country, if available (for instance, the EU has adequacy decisions for a few countries besides the UK).
  • For U.S. transfers: ensuring the recipient is certified under the EU-U.S. Data Privacy Framework (DPF) or its UK extension, if applicable. For example, Google LLC is certified under the EU-U.S. DPF which means it commits to protect EU/UK personal data in line with EU standards.
  • Implementing Standard Contractual Clauses (SCCs): These are contractual agreements approved by the European Commission (and recognized by the UK) that legally bind the recipient to protect the data. We have SCCs in place where required, for instance with certain cloud service providers.
  • Assessing each transfer to ensure there are no local laws that undermine the protection and, where needed, adding supplementary measures (encryption, access controls) to the data.

We will inform you if we need to transfer your personal data to a country without an adequacy decision in place in a way that requires your acknowledgement or consent. In any event, our goal is to ensure that your personal information enjoys a high level of protection wherever it is processed – equal to the protection it would receive under UK/EU law. If you have questions about our international data transfers or want more details about the specific safeguards in place (such as a copy of the SCCs used), you can contact us using the details in Section 10.

8. Your Rights and Choices

Under the GDPR (and UK data protection law), you have a number of important rights with regard to your personal data. JCPSA is committed to upholding these rights. Below is a summary of your principal rights:

• Right to Be Informed: You have the right to be given clear, transparent information about how your personal data is collected and used. We fulfill this right by providing you with this Privacy Policy and related notices.
• Right of Access: You have the right to access your personal data that we hold and obtain a copy of it, as well as to receive information on how it’s being processed. This is often called a “Data Subject Access Request”. Upon request, we will confirm if we are processing your personal data and provide additional details (such as the categories of data, purposes of processing, recipients, storage periods) along with a copy of the actual personal data we have about you. (Note: for others’ rights and freedoms, we might redact data that pertains to other individuals.)
• Right to Rectification: You have the right to have inaccurate personal data corrected or incomplete data completed. If you find that any information we hold about you is incorrect or outdated (for example, if you change your phone number or notice a misspelled name), please let us know and we will update it.
• Right to Erasure: You have the right to request the deletion of your personal data in certain circumstances. This is also known as the “right to be forgotten.” You can request erasure, for example, if the data is no longer necessary for the purposes it was collected, if you withdraw consent and we have no other legal basis to keep it, or if you object to processing based on legitimate interest and we have no overriding grounds to continue. Please note this right is not absolute – sometimes we may have legal or legitimate reasons to retain some data (for instance, we cannot delete records that we must keep by law, such as completed transaction records needed for tax purposes, and we may retain minimal information to remember your opt-out preferences). But we will inform you of any such reasons if they apply.
• Right to Restrict Processing: You have the right to request that we limit the processing of your data in certain situations. For example, if you contest the accuracy of your data, you can ask us to restrict processing while we verify and correct it. Or if you have objected to processing (see below), you can ask we restrict use of data while we consider your objection. When processing is restricted, we can still store your data but not use it further until the issue is resolved (unless for legal claims or public interest reasons). We will lift the restriction once resolved and inform you.
• Right to Data Portability: You have the right, in certain cases, to receive the personal data you provided to us in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller. This typically applies to data processed by automated means on the basis of consent or contract. For instance, if you provided us with a lot of information and we process it by consent, you might request an export of that data to reuse elsewhere. We can provide such data in a CSV or similar file. Where feasible, you can also request that we transfer the data directly to another company’s system if technically possible. (Note: this right is distinct from the right of access; it’s more about getting data in a usable digital format for reuse.)
• Right to Object: You have the right to object to certain processing activities. You can always object to processing of your personal data for direct marketing purposes – if you object, we will stop using your data for marketing immediately, as this is an absolute right. You can also object to processing based on legitimate interests (or public interest) grounds. In such cases, we will review your objection and unless we have compelling legitimate grounds that override your rights (or if the processing is needed for legal claims), we will cease the processing in question. For example, if you object to our use of your data for analytics because you believe it infringes on your privacy, we will consider your request seriously and likely comply by disabling analytics for your visits (often you can do this via cookie preferences too).
• Right not to be subject to Automated Decisions: As noted, we do not make solely automated decisions with legal or similarly significant effects. However, you have the right not to be subject to a decision that is based only on automated processing (no human involvement) if it produces a legal effect or similarly significant effect on you. This right would allow you to request human review of a decision. It’s not applicable here in practice, since any important decisions (like approving credit, etc.) are not automated by us.
• Right to Withdraw Consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. For example, if you subscribed to our newsletter and no longer wish to receive it, you can unsubscribe (withdrawing consent for marketing emails). If you consented to non-essential cookies, you can change your preference and we will stop processing your data from those cookies. Withdrawing consent will not affect the lawfulness of processing done before the withdrawal, but once withdrawn, we will cease the related processing. Note that if there’s another legal basis for the processing (e.g. we also need that data to perform a contract), we might continue under that basis – but we will inform you if that’s the case.
• Right to Complain: If you believe your data protection rights have been violated or you have a concern about how we handle your personal data, you have the right to lodge a complaint with a supervisory authority. In the UK, our supervisory authority is the Information Commissioner’s Office (ICO). You can contact the ICO via their website (ico.org.uk) or by phone. If you reside in an EU country, you may contact your local Data Protection Authority. Since we have an operational presence in Poland for EU matters, you may also contact the Polish Personal Data Protection Office (UODO) as the lead EU supervisory authority for our EU processing. We would, however, appreciate the chance to deal with your concerns before you approach a regulator – so please consider contacting us first, and we will do our utmost to resolve any issue.

To exercise any of your rights, please reach out to us via the contact information provided in Section 10. We may need to verify your identity before fulfilling certain requests (to ensure we don’t disclose data to the wrong person). This is usually done by asking for information that confirms you are the owner of the data (for example, verifying your contact details or requiring a request from the email address associated with your account). We will respond to requests within one month, as required by GDPR, unless the request is complex (in which case we may inform you that an extension of up to two further months is needed). Exercising your rights is free of charge in most cases. However, if requests are manifestly unfounded or excessive (e.g. repetitive), we may charge a reasonable fee or refuse to act on the request, as permitted by law – but we will provide an explanation in such cases.

9. Data Security and Retention

Security Measures: We take reasonable and appropriate measures to protect your personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption: Our website uses HTTPS encryption (SSL/TLS) for all data transmissions. This means that the information you enter is encrypted when sent to our server. Look for the padlock symbol in your browser address bar.
• Access Controls: Personal data stored in our systems (including our CRM, databases, and file storage) is accessible only to authorized personnel who require access to perform their job duties. We limit access to your information to trained staff on a need-to-know basis. For example, sales team members can see inquiry details, the dispatch team can see delivery info, etc., but each employee has individual login credentials and permissions.
• Secure Storage: We ensure that our service providers implement robust security. Our servers and cloud services employ firewalls, intrusion detection systems, and regular security audits. Bitrix24, for instance, isolates our data and provides two-factor authentication options. Payment information is handled by Secure Trading using their secure infrastructure – we never handle unencrypted credit card details.
• Backup and Recovery: We backup critical data regularly and have disaster recovery plans to prevent data loss. Backups are encrypted and stored securely.
• Monitoring: We monitor our systems for suspicious activity and have procedures to respond swiftly to potential security incidents.

While we strive to protect your information, please note that no method of transmission over the Internet or method of electronic storage is 100% secure. Email communications, for example, are not always encrypted end-to-end, so take care in what information you send us via email. We cannot guarantee absolute security of data, but we follow best practices and continuously update our security protocols in line with new threats and technologies.

Data Breach Procedures: In the unlikely event of a data breach that poses a risk to your rights and freedoms (e.g. unauthorized access to our systems resulting in loss or theft of personal data), we will notify the affected individuals and the relevant supervisory authority (such as the ICO) as required by law. We have an internal incident response plan to handle such situations, aimed at containing and mitigating the breach and preventing future recurrence.

Retention Period: We will retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. The exact duration depends on the type of data and the context in which it was provided:

• If you make an inquiry or request a quote but do not become a customer, we will typically retain your contact information and inquiry details for a certain period (generally, up to 2 years from the date of last communication). We keep it this long to be able to follow up on potential projects and to understand our interactions with prospects. However, if you prefer we delete your inquiry data sooner, you can request erasure (as described in Section 8) and we will oblige, provided we have no overriding need to keep it.
• If you purchase or rent a product/service from us, we will retain your personal data for the duration of our contractual relationship and thereafter for as long as necessary to fulfill our legal obligations or business needs. For example, we keep invoice and transaction records for at least 6 years to comply with UK tax law and as required for auditing purposes. We may keep basic identifying information (name, contact, transaction history) for a longer period (up to e.g. 6-7 years after you cease being a customer) in case of any warranty claims, disputes, or follow-up services. Additionally, retaining a history of your projects can be useful for us to provide better service if you come back (legitimate interest), but we won’t use old contact info for marketing if you have opted out.
• If you subscribe to our newsletter or consent to marketing, we will retain your contact information for that purpose until you unsubscribe or withdraw consent. Once you opt out, we will stop sending you marketing, and we may either delete your contact or suppress it on our list to ensure we don’t inadvertently contact you (we keep minimal info like email address in a “do not contact” list, as permitted by law).
• Web analytics data (Google Analytics) is retained for a period that we configure within Google’s settings. Currently, user-level and event-level data associated with cookies and IDs in Google Analytics is set to be retained for 14 months before being automatically deleted. Aggregate reports (which do not identify users) may be kept longer.
• Log files on our web server are typically rotated and deleted within 12 months (often sooner, e.g. 90 days) unless we need to retain them longer for security analysis.
• CRM records (via Bitrix24) of communications are retained as long as we have an ongoing relationship or potential relationship with you. If you become a customer, those records attach to your customer profile and are kept as per customer data retention above. If you do not engage further, we may delete or anonymize conversation records periodically to reduce storage, typically after a couple of years of inactivity.

When we no longer have a legitimate need or legal obligation to keep your personal data, we will securely delete, anonymize, or destroy it. For example, we may anonymize analytics data after a retention period so it can no longer be linked to an individual, or we may securely erase personal details from older inquiries that never converted.

If deletion is not immediately feasible (for example, because the data is stored in backup archives), we will isolate the data from active use until it can be erased. Backup data is usually cyclically overwritten, so any personal data in backups will be eliminated over time as those backups are refreshed.

10. Updates to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. We encourage you to review this page periodically to stay informed about how we are protecting your information. If we make material changes to this Policy, we will take appropriate measures to notify you. This may include posting a prominent notice on our website, updating the “Last Updated” date at the top of the Policy, or contacting you via email or other means if you are an active customer or if required by law. The choice of notification method is at our discretion and may depend on the nature of the change. Minor updates (such as clarifications or improvements that do not significantly affect your rights) will be reflected by updating the Last Updated date.

Any changes we make will become effective when we post the revised Privacy Policy on our website, unless otherwise indicated. Your continued use of our website or services after a Policy update constitutes your acceptance of the revised terms (to the extent permitted by law). If you do not agree with the changes, you should stop using our services and contact us if you wish to exercise any rights (for example, you may ask us to delete your data if applicable).

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please do not hesitate to contact us. We are here to help and committed to protecting your privacy.

• By Email: You can reach our team at info@jcpsa.co.uk. Please include “Privacy Inquiry” in the subject line so we can route your query to the right personnel.
• By Phone: You may call us at (+44) 1243 908010. If your query is privacy-specific, you may be directed to our data protection responsible person.
• By Post: You can write to us at our registered business address:

JC Portable Site Accommodation Ltd

Chichester Enterprise Centre

Terminus Road

Chichester, West Sussex

PO19 8FY

United Kingdom

Alternatively, you can use the contact form on our website. If doing so, please mention that your inquiry is about privacy or data protection.

We will endeavor to respond to all legitimate requests or questions as promptly as possible, and at most within the timeframes provided by law. Your feedback and trust are important to us. If you have any suggestions or concerns about our data practices, we welcome the opportunity to address them.

Thank you for taking the time to read our Privacy Policy. We value your privacy and trust. By staying informed, you help us ensure transparency and accountability. We hope this Policy has clarified how we handle your data and your rights regarding it.