Privacy Policy

What is the purpose of this document?

Heighway Associates Architects Limited is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during and after your relationship with us, in accordance with the General Data Protection Regulation (GDPR) and Data Protection Act 2018.

We, as the data controller, are Heighway Associates Architects Limited, a company registered in England and Wales. Our company registration number is 10718933 and our registered office is at 34 West Street, Marlow, Buckinghamshire SL7 2NB. Our registered VAT number is 697691853.

This notice is not contractual and we may update this notice at any time but if we do so, we will provide you with an updated copy of this notice as soon as reasonably practical.

It is important that you read and retain this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

Data Protection Manager and Contact details

We are not required to have a Data Protection Officer but we have appointed Lynne Davis as our Data Protection Manager (DPM). If you have any queries about this notice or our use of your personal data, or if you wish to request to opt out of specific processing or exercise any rights, please contact her on 01628 483 211 or at or 34 West Street, Marlow, Buckinghamshire SL7 2NB.

Data protection principles

We must comply with the principles relating to processing of personal data set out in the GDPR which, in summary, state that personal data shall:

  • be processed fairly and lawfully in a transparent manner;
  • be collected for specific, explicit and legitimate purposes and not be processed in any manner which is incompatible with those purposes;
  • be adequate, relevant and limited to what is necessary for that purpose;
  • be accurate and kept up to date where necessary, with every reasonable step being taken to ensure that personal data are accurate, having regard to the processing purpose, and are erased or rectified without undue delay;
  • be kept in a form which permits identification of data subjects for no longer than is necessary for that purpose;
  • be kept secure, safe from unauthorised access, accidental loss, damage or destruction; and
  • be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction of damage, using appropriate technical or organisational measures.

Our collection, use and transfer of your data


We keep a record of the names of our clients, as well as their address, telephone number, e-mail address and the same details for contacts of corporate clients for our legitimate interest in providing services.

Unless you state otherwise, we may also use selected information and media (including photographs) for social media and / or marketing purposes. We will not refer to any specific house name or number, nor will we name any client. 

Website contacts

You may send us information via our website. This requires you to input your name, email address and phone number, as well as your personal message to us.

Job applicants 

If you apply for a job with us, we will keep your name, contact details, current salary, covering letter and CV and may use these to contact you about applicable jobs.

Suppliers and general stakeholders

We also collect information about many other people, mainly in the form of contact details (name, job title, organisation, address, e-mail address and telephone number, as well as other information from e-mail signatures and footers) of people interested in our business or services, contacts at suppliers and potential suppliers, people within the industry and other stakeholders. This information is usually provided directly from you and may be used for the legitimate interest in communicating with you in relation to specific issues or products that you are involved in, or matters that you might be able to assist with. We may also contact you to keep in touch or make introductions. We keep the details of any complaints for our legitimate interest in responding to that complaint and trying to improve our business following any upheld complaint.

All: Other organisations that may see your data

Our banks, insurers, solicitors, accountants and other advisers are also entitled to obtain specific data on request as part of our compliance checks and legal obligations, although they rarely need specific personal data. We may provide personal data to our solicitors to the extent relevant to our instructions to them. Any personal data may be held and used for establishing, exercising or defending legal claims.

We use cloud-based servers for e-mails, communications, marketing emails and newsletters, task planning, HR data storage, file transfer and general data storage as detailed in the section below titled “Transferring information outside the EU”. We only allow our third-party service providers to use your personal data for specified purposes and in accordance with our instructions.

We may also disclose your Personal Data if we believe such action is necessary, for example to conform with a legal requirement, protect and defend our rights or property or to protect the interests of our members or users.

All: Special category personal data such as health information

“Special categories” of particularly sensitive personal information, being data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identifying people, health information and data concerning sex life or sexual orientation, require higher levels of protection.

We may collect, store and use this information if you provide it to us and consent to us using it for a specific purpose, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.  We may collect, store and use information about your health where it is useful to ensure your safety whilst you are on our premises. 

All: Criminal convictions

We will not store or use information about any criminal convictions and offences, unless you have provided your consent to it.

All: Future sale

We may share your personal information in the context of our legitimate interests in a possible sale or restructuring of the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.

In limited circumstances, we may approach you for your written consent to allow us to process other sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information, whether sensitive or not.

How long will we use your information for?


We hold personal data about individual clients or contacts of corporate clients until we are satisfied that there is no longer any purpose for retaining it. This is usually seven years after their last purchase, to cover off any legal or financial issues that might arise during that period.

Website contacts

We generally keep information submitted via our website from people who are not and do not become clients for up to three years, depending on the content and message.

Job applicants

If you apply for a job with us, we may keep your name, contact details, current salary and CV on file for up to 12 months, although we may delete it before then if we do not anticipate any need for recruitment applicable to you within this time.

Suppliers and general stakeholders

We will hold your personal data until we are satisfied that there is no longer any purpose for retaining it. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.


In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Website cookies

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.

We use the following types of cookies:        

  • Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

You can find more information about the individual cookies we use and the purposes for which we use them in the table below:







This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site’s analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.

2 years



This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.

1 day



This cookies is installed by Google Universal Analytics to throttle the request rate to limit the collection of data on high traffic sites.

1 minute




This cookie is set by Google and is used to distinguish users.

1 minute


Please note that Google may also use cookies, over which we have no control. To deactivate the use of third-party advertising cookies, you may visit their consumer page to manage the use of these types of cookies.

You can choose which analytical, functionality and targeting cookies we can set by clicking on the button(s):

  • Analytical or performance cookies OFF

However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.

Our website host – as one of our data processors – can only process your data in accordance with out instructions. This uses a cloud-based system backed up in the UK.

Our website may contain links to enable you to visit other websites of interest easily. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information that you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Transferring information outside the UK

We use cloud-based servers for e-mails, communications, marketing emails and newsletters, plan drawings, staff holiday records, file transfer and general data storage. Most of these, such as our email hosts only store data in the UK. ArcTechPro stores data in Ireland, which is covered by the European General Data Protection Regulations.

Right to withdraw consent

In the limited circumstances where you may have consented to the collection, processing and transfer of your personal information for a specific purpose, you may withdraw your consent for that specific processing at any time. To do so, please contact our DPM. We will then no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. Please note that we may process your personal information without your knowledge or consent, where this is required or permitted by law. 

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to continue our relationship with you, depending on the specific data, why we need it and what risks the provision of it poses to your rights and freedoms. For example, if a supplier fails to provide contact details of its finance department or the details needed for payments, we may not be able to pay them.

Automated decision-making

You will not be subject to electronic decision-making without human intervention that will have a significant impact on you.

Data security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. However, unfortunately, the transmission of data via the internet is not completely secure and we cannot guarantee the security of your data transmitted to our site, and transmission is at your own risk.

Rights of access, correction, erasure, and restriction

You have a number of rights under the GDPR:

  • the right to access personal data we hold;
  • the right to ask us to rectify or complete our records;
  • the right to ask us to delete personal data;
  • the right to object to us processing your personal data;
  • the right to restrict our processing; and
  • the right to ask us to transfer your personal data to another organisation.

These are not absolute rights and are subject to specific conditions and depend on our processing purposes. If you are interested in using any of these rights, please contact our Data Protection Officer. You will not usually have to pay a fee to exercise any of these rights.

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.


If you are unhappy with any aspect of our processing of your personal data, we ask that you talk to us about it first, using the contact details set out above, and discuss your concerns with our DPM. If you are not satisfied with the outcome, you may lodge a complaint with the Information Commissioner’s Office.

If you have any questions about this Privacy Notice, please contact the DPM.