Privacy Policy
This privacy policy sets out how this website (hereafter "The Portal") uses and protects any information that you give The Portal while using this website. The Portal is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement. This privacy notice may be updated at any time, for any substantial updates to this policy you will be informed.
The information we hold about you
All personal data collected as part of registering for an account on The Portal will be used only to facilitate the delivery of PPE, related items and any other (future) product offerings to yourself and your organisation. The personal data held by The Portal includes:
· Full name: This is to ensure delivery of items are sent to the correct peoples and/or organisation.
· Email address: This data will be used as a contact detail for accounts registered on the platform. Email address data will be used to issue any communications relating to the service, including (but not limited to) emails regarding account registration, order confirmation, forgotten passwords and shipment confirmation. Further communications may be sent regarding important service and PPE-related updates, sector-specific updates for public health purposes such as health and care service-delivery and for marketing and user feedback purposes.
· Contact number: (telephone and/or mobile): This is to ensure that there is a contact number for the account registered on the Portal. This may be used to contact registered account holders regarding any urgent Portal service-related issue, for example an issue with delivery. We may also conduct outbound calls and other proactive communications using these contact numbers for the purposes of prevailing public health priorities and the public interest. Please note that all these activities will only be done where necessary.
· Address details, including postcode: This ensures we have the delivery site(s) registered to the account to enable our logistics and delivery partners to facilitate, fulfil and complete the delivery of items.
Under Article 6 of the United Kingdom General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
· Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Data security and retention
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We have in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We aim for the personal data collected for the facilitation of the platform, service and associated operations to be retained for no longer than the purposes for which it is being processed.
To ensure we only retain data for as long as necessary, the PPE Portal operates an inactive user policy to remove accounts that have not been accessed for 6 months.
How we determine activity on the Portal:
• Date of last login
• Date of last order placed
Once an account becomes inactive, the account and relevant personal data will be archived for 1 month before deletion. When an account is archived, we notify inactive account holders via email. Should you wish to keep your account active please ensure you sign-in on the Portal.
Data sharing
The Portal may share your data with third parties where it is required by law, or where it is necessary to provide you and your organisation with our services. The Portal shares the following data with third parties:
CTI Digital, responsible for the building, running, maintenance and development of the online platform / system part of the service.
Clipper Logistics, acting as delivery partner for the Portal. Clipper Logistics will receive information and personal data pertaining to order delivery, this is currently limited to:
- Customer’s email (we hash this replacing the customers actual email)
- Customer company name
- Customer last name
- Customer delivery address
- Order items
Any (future) changes to the data transmitted to Clipper will be for the purposes of improving user experience, logistical efficiencies and flexible distribution.
Unipart, for the purposes of customer services to this organisation.
For (adult) social care providers that are not CQC-registered and who register onto The Portal, the following data may be shared with their relevant Local Authority(s)*:
- Customer Sector type
- Organisation Name
- Email address
- Postcode
*This is to (a) provide checks and verifiable assurances that the user is who they say they are and (b) if they are a previously unidentified unpaid carer or personal assistant (employer), to direct them to extra support.
Please note that The Portal will not disclose your personal data unless we are satisfied that they are legally entitled to view the data. Where we do disclose your personal data, we require third parties to respect the security of your data and to treat it in accordance with the law.
Your rights as a data subject
Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a ‘data subject access request’). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
- Request correction of the personal information that we hold about you;
- Request the erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it;
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
- Request the transfer of your personal information to another party;
- Withdraw consent to receive marketing communications, if given, by emailing ppeportal.queries@unipart.com
- If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact ppeportal.queries@unipart.com
- You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
How we use cookies
A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added, and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
When you use The Portal, we may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer. They help us to improve The Portal and to deliver a better and more personalised service.
We use traffic log cookies, among others, to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
We use Hotjar with carefully selected pages only, in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (for example how much time they spend on which pages, which links they choose to click, what users do and don’t like) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.
For further details, please see the ‘about Hotjar’ section of Hotjar’s support website (click here).
Alongside Hotjar, The Portal also uses Google Analytics and Google Tag Manager to help us improve our service. For a full breakdown of the cookies used by third parties on The Portal, please see below.
List of cookies we collect
The table below lists the cookies we collect and what information they store.
| Cookie Name | Cookie Desciption |
| FORM_KEY | Stores randomly generated key used to prevent forged requests. |
| PHPSESSID | Your session ID on the server. |
| GUEST-VIEW | Allows guests to view and edit their orders. |
| PERSISTENT_SHOPPING_CART | A link to information about your cart and viewing history, if you have asked for this. |
| STF | Information on products you have emailed to friends. |
| STORE | The store view or language you have selected. |
| USER_ALLOWED_SAVE_COOKIE | Indicates whether a customer allowed to use cookies. |
| USER_NOT_SAVE_COOKIE | Indicates that a customer has opted out of tracking cookies. |
| MAGE-CACHE-SESSID | Facilitates caching of content on the browser to make pages load faster. |
| MAGE-CACHE-STORAGE | Facilitates caching of content on the browser to make pages load faster. |
| MAGE-CACHE-STORAGE-SECTION-INVALIDATION | Facilitates caching of content on the browser to make pages load faster. |
| MAGE-CACHE-TIMEOUT | Facilitates caching of content on the browser to make pages load faster. |
| SECTION-DATA-IDS | Facilitates caching of content on the browser to make pages load faster. |
| PRIVATE_CONTENT_VERSION | Facilitates caching of content on the browser to make pages load faster. |
| X-MAGENTO-VARY | Facilitates caching of content on the browser to make pages load faster. |
| MAGE-TRANSLATION-FILE-VERSION | Facilitates translation of content to other languages. |
| MAGE-TRANSLATION-STORAGE | Facilitates translation of content to other languages. |
List of cookies collected by third parties
The table below lists the cookies collected by third parties that are used on the website.
| Created By | Service Name | Cookie Name | Cookie Description | Default Expiration |
| gtag.js & analytics.js | Google Analytics & Google Tag Manager | _ga | Used to distinguish users. | 2 years. |
| gtag.js & analytics.js | Google Analytics & Google Tag Manager | _gid | Used to distinguish users. | 24 hours. |
| gtag.js & analytics.js | Google Analytics & Google Tag Manager | _gat | Used to throttle request rates. | 1 minuite. |
| gtag.js & analytics.js | Google Analytics & Google Tag Manager | AMP_TOKEN | Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service. | 30 seconds to one year. |
| gtag.js & analytics.js | Google Analytics & Google Tag Manager | _gac_ | Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out. | 90 days |
| ga.js | Google Analytics | __utma | Used to distinguish users and sessions. The cookie is created when the javascript library executes and no existing __utma cookies exists. The cookie is updated every time data is sent to Google Analytics. | 2 years from set/update |
| ga.js | Google Analytics | __utmt | Used to throttle request rate. | 10 minutes |
| ga.js | Google Analytics | __utmb | Used to determine new sessions/visits. The cookie is created when the javascript library executes and no existing __utmb cookies exists. The cookie is updated every time data is sent to Google Analytics. | 30 mins from set/update |
| ga.js | Google Analytics | __utmc | Not used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the __utmb cookie to determine whether the user was in a new session/visit. | End of browser session |
| ga.js | Google Analytics | __utmz | Stores the traffic source or campaign that explains how the user reached your site. The cookie is created when the javascript library executes and is updated every time data is sent to Google Analytics. | 6 months from set/update |
| ga.js | Google Analytics | __utmv | Used to store visitor-level custom variable data. |
2 years from set/update
|
| Hotjar | Hotjar | _hjSessionUser_{site_id} | Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID. JSON data type. |
1 year |
| Hotjar | Hotjar | _hjid | Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID. UUID data type. |
1 year |
| Hotjar | Hotjar | _hjFirstSeen | Identifies a new user's first session. Used by recording filters to identify new user sessions. Boolean true/false data type. |
Session duration |
| Hotjar | Hotjar | _hjUserAttributesHash | User Attributes sent through the Hotjar Identify API are cached for the duration of the session. Enables us to know when an attribute has changed and needs to be updated. Hash data type. |
Session duration |
| Hotjar | Hotjar | _hjCachedUserAttributes | Stores User Attributes sent through the Hotjar Identify API, whenever the user is not in the sample. Collected attributes will only be saved to Hotjar servers if the user interacts with a Hotjar Feedback tool. Cookie used regardless of whether a Feedback tool is present. JSON data type. |
Session duration |
| Hotjar | Hotjar | _hjViewportld | Stores user viewport details such as size and dimensions. Session duration. UUID data type. |
Session duration |
| Hotjar | Hotjar | _hjSession_{site_id} | Holds current session data. Ensures subsequent requests in the session window are attributed to the same session. JSON data type. |
30 minutes |
| Hotjar | Hotjar | _hjSessionTooLarge | Causes Hotjar to stop collecting data if a session becomes too large. Determined automatically by a signal from the WebSocket server if the session size exceeds the limit. Boolean true/false data type. |
Session duration |
| Hotjar | Hotjar | _hjSessionRejected | If present, set to '1' for the duration of a user's session, when Hotjar has rejected the session from connecting to our WebSocket due to server overload. Applied in extremely rare situations to prevent severe performance issues. Boolean true/false data type. |
Session duration |
| Hotjar | Hotjar | _hjSessionResumed | Set when a session/recording is reconnected to Hotjar servers after a break in connection. Boolean true/false data type. |
Session duration |
| Hotjar | Hotjar | _hjLocalStorageTest | Checks if the Hotjar Tracking Code can use local storage. If it can, a value of 1 is set. Data stored in_hjLocalStorageTest has no expiration time, but it is deleted almost immediately after it is created. Boolean true/false data type. |
Under 100ms Duration |
| Hotjar | Hotjar | _hjIncludedInPageviewSample | Set to determine if a user is included in the data sampling defined by your site's pageview limit. Boolean true/false data type. |
30 minutes |
| Hotjar | Hotjar | _hjIncludedInSessionSample | Set to determine if a user is included in the data sampling defined by your site's daily session limit. Boolean true/false data type. |
30 minutes duration |
| Hotjar | Hotjar | _hjAbsoluteSessionInProgress | Used to detect the first pageview session of a user. Boolean true/false data type. |
30 minutes duration |
| Hotjar | Hotjar | _hjTLDTest | We try to store the _hjTLDTest cookie for different URL substring alternatives until it fails. Enables us to try to determine the most generic cookie path to use, instead of page hostname. It means that cookies can be shared across subdomains (where applicable). After this check, the cookie is removed. Session duration. Boolean true/false data type. |
Session duration |
| Hotjar | Hotjar | _hjRecordingEnabled | Set when a Recording starts. Read when the Recording module is initialized to see if the user is already in a recording in a particular session. Boolean true/false data type. |
Session duration |
| Hotjar | Hotjar | _hjRecordingLastActivity | Set in Session storage as opposed to cookies. Updated when a user recording starts and when data is sent through the WebSocket (the user performs an action that Hotjar records). Numerical Value (Timestamp) data type. |
Session duration |
| Hotjar | Hotjar | _hjClosedSurveyInvites | Set when a user interacts with an external link Survey invitation modal. Ensures the same invite does not reappear if it has already been shown. Boolean true/false data type. |
365 day duration |
| Hotjar | Hotjar | _hjDonePolls | Set when a user completes an on-site Survey. Ensures the same Survey does not reappear if it has already been filled in. Boolean true/false data type. |
365 day duration |
| Hotjar | Hotjar | _hjMinimizedPolls | Set when a user minimizes an on-site Survey. Ensures that the Survey stays minimized when the user navigates through your site. Boolean true/false data type. |
365 days duration |
| Hotjar | Hotjar | _hjShownFeedbackMessage | Set when a user minimizes or completes a Feedback widget. Ensures the Feedback widget will load as minimized if the user navigates to another page where it is set to show. Boolean true/false data type. |
365 days duration |
Company details for data protection issues
Name and address of Group company:
FAO Company Secretary Supply Chain Coordination Limited, Wellington House, 133-155 Waterloo Road, London SE1 8UG.
Data Protection Officer To whom initial issues should be addressed
Data Protection Officer (DPO) Supply Chain Coordination Limited, Wellington House, 133-155 Waterloo Road, London SE1 8UG.
Competent supervisory authorities:
For UK: Information Commissioner Office, tel: 0303 123 1113
or https://www.gov.uk/data-protection/make-a-complaint