General Privacy Policy

1. Who are we?

We are Vistry Group PLC, a public limited company incorporated in England and Wales (company number 00306718) with our registered office at 11 Tower View, Kings Hill, West Malling, Kent, ME19 4UY (‘Vistry’).

We also do business through the following group company entities (each a ‘Group Entity’ or together, ‘Group Entities’):

  • Bovis Homes
  • Linden Homes
  • Vistry Partnerships
  • Drew Smith

Sometimes we will establish separate legal entities for our developments, those entities own the properties on a development. Where we establish a separate “legal entity” for a development, that entity will be a joint controller of any personal data collected in connection with the sale and marketing of those properties. You can find details of the legal entities that we have established here at this link

1.1 Personal information relating to you from which you can be identified and that we collect or which you provide is referred to in this General Privacy Policy as ‘Personal Data’.

1.2 This General Privacy Policy provides general information about how Vistry collects and uses Personal Data as a controller. Personal Data collected about you, how is it used or shared, sources it may be obtained from and for what purpose it may be used will also vary depending on the Group Entity you are dealing with who may act as a controller in respect of its processing as described thereunder. You should therefore also review the specific privacy policy that applies:

a) If you are a Bovis Homes customer or potential customer, by following this link

b) If you are a Linden Homes customer or potential customer, by following this link

c) Vistry Partnerships, by following this link

d) If you are a Drew Smith customer or potential customer, by following this link

e) If you are making a job application to a Vistry Group Entity, by following this link

(each is referred to as ‘Entity Privacy Policy’ or together ‘Entity Privacy Policies’).

2. Contact

2.1 If you have queries regarding this General Privacy Policy or want to exercise legal rights relating to your Personal Data (see ‘Your Data Protection Rights’ below), please contact Vistry’s data protection lead (‘DPL’) at:

2.2 Vistry Group PLC, Cleeve Hall, Cheltenham Road, Bishops Cleeve, Cheltenham, Gloucestershire GL52 8GD data.protection@vistrygroup.co.uk

2.3 This General Privacy Policy and/or any of the Entity Privacy Policies may be updated if there are any changes to Vistry’s or a Group Entity’s business, the law or relevant privacy practices. You should check that you have seen the latest version of this Privacy Policy or the Entity Privacy Policy that may apply. If there are any significant changes, you may be informed of these directly by post, email or another suitable medium.

3. What we use your Personal Data for

As well as the purposes referred to in each Entity Privacy Policy, Vistry may use your Personal Data where:

a) You contact us (e.g. to make an enquiry or complaint) so that we can deal with your issue or where we need to process such data when performing a task or service involving you;

b) We provide direct marketing about products or services or provide corporate information which may be of interest to you. Subject to applicable law, we may do this by post, phone or electronically;

c) We need to establish, enforce or defend any of our legal rights or deal with a legal claim;

d) We are required by applicable law, regulation, the order of any court or regulatory authority; or

e) We have another purpose which you are notified about at the time we collect the Personal Data.

4. Lawful grounds on which Vistry processes your Personal Data

4.1 When we collect and process your Personal Data, we observe the UK General Data Protection Regulation (‘GDPR’) and Data Protection Act 2018 (‘DPA’) together with other applicable laws that regulate the protection of personal data (as amended, updated or replaced from time to time) (together ‘Data Protection Law’).

4.2 When we process your Personal Data, Vistry will rely on one or more of the following lawful grounds:

a) To fulfil a contract we have with you (or to take steps at your request prior to entering a contract);

b) To comply with a legal obligation;

c) When Vistry (or someone else) has a legitimate interest to use such Personal Data, subject to such use not having an unduly negative or unfair impact on your privacy or prejudicing your rights and freedoms. In this case, the legitimate interest is being able to process Personal Data for the purpose of us (or our Group Entities) being able to effectively manage, organise and operate our/ their business;

d) When you consent to such processing or use;

e) To protect your vital interests or those of someone else, usually in cases of life or death; and/or

f) When we are exercising a statutory function or official task in the public interest, although this will only apply in exceptional situations.

For more information on the legal grounds that each Group Entity relies on, including grounds on which they may use special category or sensitive Personal Data, please refer to the relevant Entity Privacy Policy.

5. Disclosing your Personal Data

5.1 Vistry may disclose your Personal Data to certain third parties who handle data on our behalf and under contract only in accordance with our instructions (called ‘processors’) such as providers of IT support, data hosting or payment processing services.

5.2 Vistry may also disclose your Personal Data to a Group Entity (for a purpose as set out in the relevant Entity Privacy Policy) or to third parties who make their own determination as to how they use your Personal Data and for what purpose(s) such as a legal adviser or bank (who are acting as ‘controllers’ of that data). More information on who those controllers are and what they do is contained in the relevant Entity Privacy Policies. You should also check the privacy policies of those third party controllers to understand how they may use your Personal Data for their own purposes.

5.3 We may, very occasionally, transfer your Personal Data outside the UK or European Economic Area (‘EEA’). For example, we may do this: at your request; when performing a contract with you or on your behalf; to comply with a legal duty or in certain other situations where there is a reason to do so. When we make such a transfer, we will comply with Data Protection Law which may include us adopting adequate safeguards so that the transferred Personal Data is protected to equivalent standards as you enjoy under Data Protection Law.

5.4 Other than as described above, Vistry will not disclose your Personal Data to third parties without you reasonably expecting it, unless we are legally required and cannot tell you. We aim to ensure that Personal Data is only used by third parties with whom we share it in accordance with Data Protection Law.

6. Personal Data Retention

Vistry only keeps Personal Data for a long as we need to. We have data retention policies that set out the different periods we retain data for in respect of particular processing purposes, in accordance with our duties under Data Protection Law and other laws. Personal Data that we no longer need is erased or anonymised so you can no longer be identified. For more information on the retention criteria and practices of each Group Entity, please see the applicable Entity Privacy Policy.

7. Security

We employ appropriate technical and organisational security measures to protect your Personal Data from being accessed by unauthorised persons; being unlawfully processed; or from loss, destruction, or damage. Vistry also takes reasonable steps to protect Personal Data from external threats such as hacking.

However, there are always risks in sending information by public networks or using public computers and we cannot completely guarantee the security of all data sent to us.

8. Your Personal Data Rights

8.1 You have certain legal rights under Data Protection Law to the following:

a) To see a copy of the Personal Data that we hold about you as well as certain other information about what we do with that Personal Data (called a ‘subject access request’).

b) ) That we correct Personal Data that we hold about you which is inaccurate or incomplete;

c) That we erase your Personal Data without undue delay if we no longer need to hold or process it;

d) To object to automated processing that we may carry out in relation to your Personal Data (if applicable) for example if we conduct credit scoring or profiling with no human involvement;

e) To object to our use of your Personal Data to send you direct marketing;

f) To object to and/or to restrict the use of your Personal Data by Vistry unless we have a legitimate reason for continuing to use it for a particular purpose or purposes; or

g) That we transfer your Personal Data to another party where such data is automatically processed and has been collected with your consent or is being used to perform a contract with you.

If you would like to exercise any of the rights set out above, please contact our DPL at the address above.

8.2 If you make a request referred to above, we may first need to verify your identity or receive further information to locate the specific data you seek before we can respond in full. We usually have one month to respond from the date of receiving your request (or, if later, you verifying your identity or providing the information to locate such data). We may, if your request is complex in nature, require an additional two months to respond. We may lawfully refuse a request or charge for administrative time in the event of a manifestly unreasonable or excessive (usually repeated) request. We may also apply certain legal exemptions under Data Protection Law to limit our response. If you make a subject access request, we have to balance your rights against the rights of other individuals when your Personal Data is combined with their information.

8.3 If you make a request and are not satisfied with our response or believe that Vistry is illegally processing your Personal Data, you have the right to complain to the Information Commissioner’s Office (ICO) – see https://ico.org.uk/.