Home > Legal > Sunswap Privacy Notice

Sunswap Privacy Notice

1. Introduction and summary

This Privacy Notice explains how we collect, use, protect and share (process) your personal information and your legal rights in relation to that processing.

In this Privacy Notice, the terms "we", "us" or "our" all mean Sunswap Ltd (company number 12407155). You can find out how to contact us at the end of this Privacy Notice.

We are a controller in relation to the processing of your personal information. This means that we are the company responsible for deciding the purpose (why) and the means (how) your personal information is processed.

This privacy notice is intended for our customers and suppliers. We have a separate privacy notice that we provide to our employees.

We mainly process the personal information of our customers and suppliers to respond to enquiries about our products and services and to do business with those customers and suppliers.

2. The personal information we collect and how we collect it

We may collect the following personal information when you contact us:

Name
Job title
The company you represent
Email address
Work address
Phone number
The content of any communication such as emails and enquiry forms
Video images on Microsoft Teams meetings if they are recorded

We obtain this information directly from you (or in some instances from the company you represent) when you phone us (or we phone you); when you use an enquiry form on our website; if you reach out to us on LinkedIn or other social media platforms; if you visit us at our offices or have a virtual meeting with our employees; or if one of our employees meets you at an industry event.

We may also obtain your personal information from other sources including Companies House, LinkedIn, news articles and trade associations (for example, Cold Chain Federation).

3. Why we process your personal information and the legal basis under which we process it

The table below sets out the different reasons why we process your personal information. It also shows you the legal basis under which we are allowed to process it.

Why we process your personal information	The legal basis for such processing
To manage our business relationship with the organisation that you represent, including: responding to customer enquiries, providing customer service, providing account management services, negotiating, concluding and performing business transactions.	Contract; and, Legitimate interests in responding to business enquiries, providing good customer service and managing our business relationships.
To ensure compliance with contractual obligations between us and the organisation you represent.	Contract.
To ensure compliance with applicable laws and regulations to which we are subject, based on our relationship with the organisation that you represent.	Legal obligation.
To track communications and analyse call metrics to improve the effectiveness in which we conduct business with the organisation that you represent.	Legitimate interests in improving our business activities.
To market our products and services to the organisation that you represent.	Consent; and, Legitimate interests in promoting our business to ensure its long-term success.
To provide aftermarket services for our products to the organisation that you represent.	Contract.
To conduct market research and product improvement activities.	Consent; and, Legitimate interests in improving our products and services.
To ensure the effective functioning, performance and security of our website.	Consent; and, Legitimate interests in making sure our website operates correctly and securely.
To enable a sale or potential sale of our company or all or part of our business.	Legitimate interest in achieving our long-term strategic objectives.

4. How long we keep your personal information

We keep your personal information for as long as is necessary based on the purpose for which we originally processed it. We also consider the amount, nature, and sensitivity of the information, the potential risk of harm that might result if it was inadvertently disclosed, as well as any taxation, accounting or other legal requirements and guidelines.

We delete your personal information from our systems after this period of time.

5. Who we share your personal information with and why

The table below sets out the different organisations that we share your personal information with, where they are located, some of the security measures they use to protect your personal information and the service that they provide for us.

Who we share your personal information with	The service they provide for us
Aircall - Aircall is a cloud-based communications platform provider based in France.	Aircall uses advanced technical and robust organisational security measures, including encryption, and is SOC2 audited. We use Aircall to analyse call metrics (frequency, response times, etc) to ensure that we are providing prompt and efficient customer support and account management services to our customers and suppliers.
Airtable - Airtable is a cloud-based relational database platform provider based in the US.	Airtable uses advanced technical and robust organisational security measures, including encryption, it is ISO27001 certified and SOC2 audited. We use Airtable to automate a range of key processes across our business to maximise efficiency, including: product order processing and sales support, supplier stock management and goods procurement, aftermarket services ticketing and customer support.
Intuit (Mailchimp) - Mailchimp is an email marketing platform provider based in the US.	Mailchimp uses advanced technical and robust organisational security measures, including encryption, it is ISO27001 certified and SOC2 audited. We use Mailchimp to manage our email marketing communications to customers and suppliers.
Microsoft - provider based in the EU and the US.	Microsoft uses advanced technical and robust organisational security measures, including encryption, it is ISO27001 certified and SOC2 audited. We use Microsoft products and services to facilitate key processes, including: email communications to customers and suppliers, Teams video conferencing with customers and suppliers, real-time product performance data and analytics through our customer portal, cloud-based data storage and hosting.
XERO - XERO is a business accounting and payment platform provider based in the US.	XERO uses advanced technical and robust organisational security measures, including encryption, it is ISO27001 certified and SOC2 audited. We use XERO to provide goods procurement and payment services to our suppliers.

6. Transferring your personal information outside the UK

Some of the companies identified in section 5 of this Privacy Notice are based outside the UK and this means that some of your personal information will be transferred and stored in countries outside the UK.

The UK's general data protection regulations (UK GDPR) provide strict rules governing how these transfers can take place to ensure that your personal information is always protected.

We only transfer your personal information to companies:

based in the EU or the US;
with whom we have written contracts in place, setting out each party's legal processing obligations; and
that have rigorous technical and organisational security processes and procedures in place.

Where we transfer your personal information to companies outside the UK, we do so:

under the UK adequacy regulations (the country has been assessed as providing adequate protection for people’s rights and freedoms about their personal information); or
where we and the other company have entered into a contract incorporating the necessary standard data protection clauses recognised or issued in accordance with UK data protection law.

7. Automated decision making, including profiling

Automated decision making is the process of making a decision by automated means (without any human involvement) based on the processing of an individual's personal information.

Profiling is the process of making predictions or decisions about an individual based on the processing of their personal information.

The UK GDPR gives you the right not to be subject to solely automated decisions, including profiling, which will have a legal or similarly significant effect on you.

We do not make decisions about you by solely automated means that may have a legal or similarly significant effect on you.

We do not undertake profiling about you that may have a legal or similarly significant effect on you.

8. Website cookies and other tracking technologies

Cookies are tiny files that are downloaded to your computer when you visit a website. They are used for a variety of reasons including to improve your user experience and to identify which parts of the website you have visited.

You can find out about the cookies we use on our website, and why we use them, in our Cookie Policy.

9. Your rights

The UK GDPR sets out your legal rights in relation to the processing of your personal information. Under the UK GDPR you have the right to:

Request access to a copy of the personal information we hold about you (subject access request).
Request correction of inaccurate or incomplete personal information.
Request erasure of your personal information (the right to be forgotten).
Object to processing for direct marketing purposes or where we cannot demonstrate a clear legitimate interest.
Request restriction of processing in some circumstances.
Request transfer of your personal information to you or to a third party in a machine-readable format (data portability).
Withdraw consent where we rely on consent as the legal basis.
Make a complaint about the processing of your data.

In addition to the rights above, you would have certain other rights if we were to make decisions about you based on solely automated means, including profiling, that might have a legal or similarly significant effect on you. As stated in section 7 of this Privacy Notice, we do not currently do this.

10. How to contact us

If you have any questions regarding how we process your personal information or any of your rights:

By email: [email protected]
By post: DPO, Sunswap Ltd, Unit 9, Mole Business Park, Randalls Road, Leatherhead KT22 7BA

11. Your right to complain

If you have a concern regarding how your personal information has been processed by us, please contact us at the address above explaining your concern and providing suitable contact details and we will do our best to promptly resolve any issue.

You also have the right to make a complaint to the Information Commissioner's Office (ICO). The ICO regulates data protection and information rights compliance in the UK. You can find more information on the ICO website.

12. Last updated

This Privacy Notice was updated on 01 November 2025.

It was updated to make it easier to understand and to provide more detailed information regarding why we process the personal information of our customers and suppliers and who we share that information with.