Midland Fire Direct Ltd — Privacy Notice
This notice explains what personal data we collect about you in the course of doing business, why we collect it, how we look after it, and what rights you have. It applies to anyone we contact in a B2B capacity — fire alarm engineers, fire-safety procurement staff, building managers — as well as to active customers, suppliers and our own employees where their work touches the systems described below.
We have written it to be readable. If anything is unclear, please ask.
1. Who we are and what we do
Midland Fire Direct Ltd (Midland Fire Direct) is a UK supplier of Gent (Honeywell) fire alarm equipment and related fire-safety products. We sell directly to fire alarm engineering firms and install/maintenance companies across the UK. We do not deal with consumers.
We are the data controller of the personal data described below.
2. What personal data we hold and where it comes from
We keep the smallest data set we can while still doing the work. In practice that means:
| Category | Specific fields | Where it comes from |
|---|---|---|
| Customer business contacts | Work name, work email, work phone, work mobile, role/job title, company you work for | You give it to us when you place an order, request a quote, or set up an account; SimPRO (our previous ERP); your colleagues |
| Prospect ("lead") business contacts | Same fields as above, plus your company's website and BAFE register reference if applicable | The publicly-available BAFE register; inbound enquiries you send us; referrals from existing customers |
| Correspondence | Emails to and from you, plus internal notes about that correspondence | The emails themselves (we keep send/receive records) |
| Transaction records | Quotes, jobs, invoices, deliveries, payments tied to your company | Created in the course of doing business with you |
| Supplier business contacts | Same fields as customer contacts | Supplier websites; account-opening paperwork; the suppliers themselves |
| Suppression list (post-erasure) | A one-way SHA-256 hash of your email — no name, no profile, just enough to recognise the address and not contact you again | Created when you opt out of marketing OR ask for full erasure (see §6) |
We do not knowingly collect:
- Personal addresses, home phone numbers, or any home contact details
- Date of birth, national insurance numbers, financial data outside the business invoicing we do directly with you
- Web tracking, advertising, or device fingerprinting data
- Any "special category" data (health, ethnicity, etc.)
- Children's data — our customers are all UK businesses
3. Why we hold it (lawful basis)
UK GDPR requires us to have a lawful basis for processing your personal data. We rely on:
- Legitimate interest — for keeping business contact details of people at our customer and supplier companies (Article 6(1)(f)). This is the standard basis B2B suppliers use. We have considered the balance and concluded that the impact on you of us holding your business contact details — to fulfil orders, send invoices, deliver goods and answer your questions — is minimal compared to the practical benefit. You can object at any time (see §6).
- Legitimate interest under PECR § 22(2)(b) — for outbound marketing-style emails to corporate subscribers (limited companies and similar). Every cold outbound carries an opt-out line. If you ask us to stop, we stop, and we add you to the suppression list (§4).
- Contract — for processing your contact details and transaction records when we are fulfilling an order you placed (Article 6(1)(b)).
- Legal obligation — for keeping invoice and accounting records for the period UK tax law requires (currently six years from the end of the relevant accounting period — Article 6(1)(c)).
We do not rely on consent for our core business processing, so you don't need to consent before we contact you about a quote or invoice. If we ever introduce optional marketing (e.g. a product newsletter) we will switch that activity to a consent basis with a clear opt-in tick box, separate from this notice.
4. The suppression list (the "right to erasure" paradox)
If you tell us to stop emailing you, we need to remember NOT to contact you again — otherwise we'd reach you again the moment a new BAFE scrape rediscovers your company. But if you also ask us to erase all your data, keeping a record of you seems contradictory.
UK GDPR explicitly handles this in Article 17(3)(b) — the right to erasure does not require us to forget that you opted out, because honouring your opt-out IS the legitimate interest. The ICO's direct-marketing guidance describes this as the "suppression file" or "do-not-contact list".
What we actually store:
- A SHA-256 hash of your email address (a one-way fingerprint — we can match a new email against the hash, but we cannot reverse it back into your address)
- The date you opted out
- A short text reason ("inbound unsubscribe", "GDPR erasure request", "operator added on phone request" etc.)
- Internal references to the original record so the operator can audit the chain if challenged
We do not keep: your name, your company name, your address or phone number, any history of what we previously contacted you about, or anything else that could identify you on its own.
This is the minimum information needed to honour your wish. We store it indefinitely — if we stopped keeping it after a few years, you'd start receiving our emails again, which would defeat the purpose. You can ask us to remove your hash from the suppression list at any time (effectively consenting to be contactable again); we will.
5. Who we share it with
Your data stays inside Midland Fire Direct Ltd except where we have to share it to do the work:
- Accounting — Xero (cloud accountancy software) holds the contact details and invoice records of customers and suppliers we bill or pay. Xero is a UK data processor and acts on our instructions.
- Email delivery — outbound emails are sent via our mailbox provider (Microsoft 365). Inbound replies arrive the same way.
- Hosting — the ERP system that holds your data runs on hardware we own and control. We do not push your data to third-party AI services or cloud platforms. We do use AI agents on our own hardware to draft correspondence, but the AI never sees data it doesn't need (e.g. it does not see other customers' records while drafting your email).
- HMRC / regulators — we share records when legally required (tax returns, certain audit requests).
We do not sell, rent or share your data for marketing purposes with anyone outside this list.
6. Your rights and how to use them
Under UK GDPR you have the following rights. To exercise any of them, email alex@midlandfire.direct. Please use the email address we know you by, so we can locate your record. We aim to respond within one calendar month.
- Right of access — ask for a copy of everything we hold on you. We will respond with a structured export.
- Right to rectification — ask us to correct anything that's wrong.
- Right to erasure — ask us to delete your personal data. We will do so, keeping only the suppression hash (see §4) and any records we are legally required to retain (mainly invoices for the HMRC six-year retention window).
- Right to object — to stop us using your data for any purpose not strictly needed to fulfil a contract you have with us. The most common case is opting out of marketing, which is granted automatically. Reply to any of our emails with "unsubscribe" or use the link in the footer.
- Right to restriction — ask us to freeze processing while a dispute is resolved.
- Right to data portability — ask for a copy in a structured, commonly-used machine-readable format (we'll provide JSON or CSV).
You also have the right to complain to the Information Commissioner's Office (the UK regulator) — https://ico.org.uk/concerns/ or 0303 123 1113. We'd appreciate the chance to put things right first, but you can go straight to them at any time.
7. How long we keep your data
| Data | Retention period | Why |
|---|---|---|
| Active business contacts | While you are an active customer or supplier, plus 2 years afterwards | Time to reconcile any open queries, warranties, returns |
| Quote / job / delivery records | 6 years from the end of the accounting period the transaction belonged to | UK tax law (Finance Act / VAT regs) |
| Invoice records | 6 years from the end of the accounting period | UK tax law |
| Correspondence | 2 years after last contact | Operational reference; can be erased on request earlier |
| Lead records (never converted) | 12–24 months — then automatically archived or pseudonymised | We don't need to remember someone who never engaged. See §8 for the auto-archive policy |
| Suppression-list hash | Indefinite | The whole point — see §4 |
| GDPR audit log (who requested what, when) | 7 years | To prove we handled requests correctly if challenged |
8. Automated handling and AI
We use software agents (running on our own hardware, not external AI services) to:
- Draft initial outreach emails to leads — a human reviews every first email before it goes out
- Parse inbound replies to spot opt-out / "delete my data" requests
- Tidy old quotes that have gone quiet (chase up status, or archive)
The agents do not make decisions that significantly affect you without a human in the loop. You can ask us to handle your correspondence without AI involvement at any time — just say so in any reply and the operator will take over manually.
9. Security
The system that holds your data sits on hardware we own. Database access is restricted to the operator account. Outbound and inbound email goes through our managed Microsoft 365 tenant with multi-factor authentication. Backups are stored on encrypted local media. We do not use third-party "AI" cloud services for processing your data.
If there's ever a data breach that's likely to affect you, we'll tell you and the ICO within 72 hours, as required.
10. Changes to this notice
We may update this notice if our practices change. The "last updated" date at the top will reflect the latest version. Material changes (e.g. new processors, new categories of data) will be communicated to active contacts by email.