1. Who we are and how to contact us


This website, constructioncertification.co.uk (the “Website”), and the booking, application and training services offered through it (the “Services”) are operated by Construction Certification Ltd (“we”, “us”, “our”).
 
We are the “controller” responsible for your personal data in respect of the processing described in this Policy, except where this Policy states that another organisation acts as a separate controller (see Section 8).
 
Construction Certification Ltd

•      Registered in England and Wales, company number 11343266

•      Registered office: 167-169 Great Portland Street, 5th Floor, London, England, W1W 5PF

•      VAT number: 369759622

•      Registered with the Information Commissioner’s Office (“ICO”), registration reference ZA487263

Contacting us about your data. For any privacy question, or to exercise your rights, please contact us through our Contact Us page, or by email at [email protected], or by post to the registered office above (marked “Data Protection”). We have appointed a person responsible for privacy matters who can be reached using these details.
 
We are not required by law to appoint a statutory Data Protection Officer and have not done so; the contact above handles all data protection queries. If your circumstances change this should be reviewed.
 
Important: who we are not. We are an independent booking agent that works with the construction industry. We are not part of, affiliated with, or endorsed by CITB, CSCS, any test centre, examining board or awarding body. Those organisations operate their own services and privacy policies (see Section 8).
 

2. Scope of this Policy


This Policy applies to personal data we collect: (a) through the Website and our online forms; (b) when you book a CITB Health, Safety & Environment test, apply for a CSCS card, skill card or JIB PMES card, purchase revision material, or enrol on an NVQ, EUSR, Health, Safety & Awareness or other e-learning course; (c) when you contact us by any channel; and (d) from third parties and other sources described in Section 5.
 
Our Services are intended for business customers and for individuals purchasing for work-related purposes. The Website is not directed at children (see Section 16).
 

3. Key terms


“UK GDPR” means the retained EU General Data Protection Regulation as it forms part of UK law, together with the Data Protection Act 2018. “PECR” means the Privacy and Electronic Communications (EC Directive) Regulations 2003, which govern marketing by electronic means (email, SMS, messaging apps, telephone). “personal data” means information relating to an identified or identifiable individual. “special category data” means the more sensitive categories of data listed in Article 9 UK GDPR. “processing” means any operation performed on personal data. “Group” is defined in Section 9.
 

4. Personal data we collect


We collect and process the broad range of information reasonably necessary to provide, administer, improve and develop our Services; to fulfil and process your orders, including with the third parties needed to deliver them; to keep you informed; and to offer and introduce you to products and services that may be relevant to you, such as training, recruitment, technology and other products. The categories we collect are:
 
•      Identity data: title, first and last name, date of birth, nationality and/or preferred language, and (where relevant to a card or course) photographic identification, identification document details and right-to-work information.
 
•      Contact data: email address, telephone and mobile number, postal address, company/employer name, and any messaging-app identifier (for example a WhatsApp number) you use to contact us or that you provide.
 
•      Order and service data: the test, card, course or product you select, your chosen and preferred test centres, dates and times, order and booking references, account log-in and course-progress data, assessment and certification records, qualifications and supporting documents you upload, and your correspondence and enquiry history with us.
 
•      Transaction data: details of products and Services purchased, amounts, dates, and records of payments. Card payment details are processed by our secure payment provider; we do not store full card numbers.
 
•      Marketing and communications data: your preferences for receiving marketing, the channels and product types you have agreed to or objected to, and your engagement with our messages (for example whether an email was opened or a link clicked).
 
•      Technical and usage data: IP address, device, browser and operating-system information, the pages you visit and how you use the Website, and similar information collected through cookies and similar technologies (see Section 15).
 
•      Special category and related data: occasionally an order, qualification, exam adjustment or support request may reveal information capable of being special category data (for example health information relevant to a reasonable adjustment). We collect such data only where necessary, only with an appropriate lawful condition (see Section 12), and we minimise it. Information about criminal convictions is not routinely collected.
 
Nationality and right-to-work information are collected where required for a card or course. Nationality is not, by itself, special category data, but we handle it with care.
 
If you do not provide it. Where data is needed to perform a contract or to comply with a legal requirement, we may be unable to provide the relevant Service if you do not supply it.
 

5. How we collect your personal data


•      Directly from you when you complete a form, place an order, create a course account, upload documents, or contact us by web form, email, telephone, live chat, messaging app, post or social media.
 
•      Automatically as you use the Website, through cookies, server logs and similar technologies.
 
•      From third parties, such as the person or business who booked on your behalf (for example an employer placing a group booking), test centres, examining boards and awarding bodies, payment and fraud-prevention providers, and analytics and advertising providers.
 

6. How and why we use your personal data


Under data protection law we must have a “lawful basis” for each use of your personal data. We rely on the bases set out below. Where we rely on legitimate interests, we have carried out a balancing assessment and consider that our interests are not overridden by your interests or rights; you may ask us for further information about that assessment.
 
Provide and administer the Services: process and submit your booking, card or course application, take payment, set up course access, issue confirmations, manage rescheduling, retakes, refunds and support.

Data used: Identity, Contact, Order, Transaction data.
 
Lawful basis: Performance of a contract with you (Art. 6(1)(b)); where you are not the contracting party, our legitimate interests in providing the booked Service (Art. 6(1)(f)).
 
Fulfil and process your orders with third parties: share and process your data with the test centres, examining boards, awarding bodies, training providers, payment processors and other providers required to deliver what you have ordered.

Data used: Identity, Contact, Order, Transaction data.
 
Lawful basis: Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) in fulfilling orders efficiently; legal obligation where applicable (Art. 6(1)(c)).
 
Service and transactional communications: send confirmations, document and information requests, status updates, and reminders – including reminders that a booking is incomplete, that documents are outstanding, and that a CITB test, CSCS card, qualification, certificate or course access is due to expire or needs renewal.

Data used: Identity, Contact, Order data.
 
Lawful basis: Performance of a contract (Art. 6(1)(b)) for messages necessary to deliver the Service; and our legitimate interests (Art. 6(1)(f)) in keeping you informed, reducing missed renewals and providing a useful service.
 
Tell you about our own related and beneficial products and Services: for example revision material, the right test or card, training and courses, NVQs, renewals, and – where relevant to you – recruitment, technology and other products we offer.

Data used: Identity, Contact, Order, Marketing data.
 
Lawful basis: Our legitimate interests (Art. 6(1)(f)) in promoting our products and Services, exercised in accordance with PECR; consent (Art. 6(1)(a)) where required for the channel or product type (see Section 7).
 
Introduce you to, and where you have consented share your data with, selected third parties whose products or services you are likely to want (such as training, recruitment, technology or finance).

Data used: Identity, Contact, Order, Marketing data.
 
Lawful basis: Consent (Art. 6(1)(a)) for sharing your data with a third party for their own marketing; our legitimate interests (Art. 6(1)(f)), in line with PECR, where we promote such products to you ourselves without disclosing your data.
 
Marketing you have opted into: newsletters, offers, product news and updates about us and, where you agree, our Group and selected partners.

Data used: Identity, Contact, Marketing, Usage data.
 
Lawful basis: Consent (Art. 6(1)(a)) and/or legitimate interests where PECR permits (Art. 6(1)(f)).
 
Improve, personalise and develop our Website, Services and content; analytics and statistics.

Data used: Order, Marketing, Technical, Usage data.
 
Lawful basis: Legitimate interests (Art. 6(1)(f)); consent for non-essential cookies (Art. 6(1)(a) / PECR).
 
Group administration and shared functions: internal administration, customer support, IT, security and management reporting across our Group.

Data used: Most categories, as needed.
 
Lawful basis: Legitimate interests (Art. 6(1)(f)) – internal administration within a group of undertakings is a recognised legitimate interest.
 
Security, fraud prevention, and protecting our Website, systems and business.

Data used: Identity, Contact, Transaction, Technical data.
 
Lawful basis: Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)).
 
Comply with legal and regulatory obligations, including accounting, tax and responding to lawful requests.

Data used: Identity, Contact, Transaction data.
 
Lawful basis: Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)).
 
Establish, exercise or defend legal claims, manage disputes, complaints and refunds, and in connection with a sale, reorganisation or transfer of our business.

Data used: Most categories, as needed.
 
Lawful basis: Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)).
 
 
Our legitimate interests. These include operating, protecting, growing and developing our business commercially; marketing our products and Services; working with our Group and partners; and running our operations efficiently. We pursue these interests actively. Data protection law requires us to weigh them against your interests and rights, and we have done so; you can object to processing based on legitimate interests as explained in Section 13.
 
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider we need to use it for a compatible purpose. If we need to use it for an unrelated purpose, we will tell you and explain the lawful basis.
 
Changing the lawful basis. Where we rely on consent you may withdraw it at any time (see Section 13); withdrawal does not affect processing carried out before withdrawal, and we may continue to use your data for service communications and other purposes that rest on a different lawful basis.
 

7. Service communications, reminders and marketing


We treat communications in two distinct categories.
 
7.1 Service communications and reminders (not marketing)
 
To deliver and support the Services you have requested, we will contact you with messages that are necessary or directly related to your order. These are part of the Service, not marketing, and you will receive them regardless of your marketing preferences. They include:
 
•      booking, application, payment and account confirmations and receipts;
 
•      requests for documents, identification, qualifications or information needed to progress your order, and reminders to complete an incomplete booking or application;
 
•      test, exam, course and appointment details, changes and results-related guidance and next steps;
 
•      expiry and renewal reminders – reminders sent at appropriate intervals that your CITB test, CSCS card, qualification, certificate or course access is approaching expiry or is due for renewal, together with information about how to renew and related Services that may be required to do so; and
 
•      important notices, such as changes to these terms, the Services or this Policy.
 
Because these messages are necessary for, or closely related to, the Service you bought, we send them on the basis of contract and/or our legitimate interests and they are not subject to marketing consent. We will still always identify ourselves and provide a means to raise queries.
 
7.2 Marketing
 
Our own products – existing-customer (“soft opt-in”) marketing. Where you have bought, or negotiated to buy, a Service from us, and you did not opt out when we collected your details, we may send you marketing about our own similar products and Services (for example related courses, cards, revision material and renewals) by email and SMS, relying on our legitimate interests as permitted by PECR. Every such message offers a simple way to opt out.
 
Our own products – wider categories. We may also market our own and Group products in wider categories – such as training, recruitment and technology – by the channels you have agreed to. Where a product is not similar to what you bought, or where the channel requires it, we will rely on your consent.
 
Introducing you to third parties’ products. We work with selected partners (for example providers of training, recruitment, technology and finance) whose products you may want. We can do this in two ways: (a) we tell you about a partner’s product ourselves, without passing your details to the partner; or (b) where you have given consent, we pass your contact details to the partner so they can contact you directly. We only disclose your details to a partner for the partner’s own marketing where you have consented to that, or where you ask us to put you in touch.
 
Telephone marketing. We may make live marketing calls unless you have told us not to or your number is registered with the Telephone Preference Service and you have not consented. Automated or recorded marketing calls are made only with consent.
 
Opting out. You can opt out of marketing at any time – by using the unsubscribe link or reply instructions in any message, by adjusting your preferences, or by contacting us (Section 1) with your first name, last name and the email address you used. We will action your request promptly and may keep a record of your contact details on a suppression list to ensure we respect your choice. Opting out of marketing will not stop service communications (Section 7.1).
 
7.3 Channels we may use
 
Where lawful, and subject to the rules above and your preferences, we may communicate with you through any of the following channels, using the contact details you provide: email, SMS/text, telephone, post, live chat, messaging applications (including WhatsApp), and in-account or on-Website messaging. Standard network or messaging-app charges may apply, and third-party messaging providers process messages under their own terms and privacy policies.
 
7.4 How we obtain and manage your consent
 
Where we rely on your consent – for example for marketing by certain channels, for sharing your data with third parties for their own marketing, or for non-essential cookies – that consent will be:
 
•      requested separately from this Policy and our Terms, so that agreeing to the Terms does not bundle in marketing consent;
 
•      specific and granular, so you can choose the channels (such as email, SMS, telephone or messaging apps) and the types of product you wish to hear about (such as training, recruitment, technology or partner products);
 
•      given by a clear, affirmative opt-in (we do not use pre-ticked boxes); and
 
•      recorded, so we can demonstrate what you agreed to and when.
 
You can change your mind at any time using the methods in Section 7.2. Withdrawing consent does not affect the lawfulness of processing before withdrawal, nor our service communications or other processing that rests on a different lawful basis.
 

8. Who we share your personal data with


We share personal data only as needed for the purposes in this Policy, and we require those who process data on our behalf to keep it secure and use it only on our instructions. We may share data with:
 
•      Third parties needed to fulfil your order. We share your data with whichever organisations are necessary to process and deliver what you ordered – including CITB, CSCS, test centres, examining boards, awarding bodies, training providers and payment processors.
 
•      CITB, CSCS, test centres, examining boards and awarding bodies. These organisations are independent controllers and process your data under their own privacy policies; we are not responsible for their processing. Please review their policies, including at citb.co.uk and cscs.uk.com.
 
•      Service providers (processors) who support us, such as hosting and IT, payment processing, identity verification, email/SMS and messaging delivery, customer support, course/exam platforms, analytics and marketing tools. They act on our instructions under written contracts.
 
•      Our Group companies for the purposes described in Sections 6 and 9.
 
•      Selected partners (for example providers of related training, recruitment, technology or financial products) – for their own marketing only where you have consented (see Section 7.2); and otherwise only where they act as a processor on our behalf or where the sharing is otherwise lawful.
 
•      Professional advisers, authorities and others where necessary to comply with the law, enforce our terms, prevent fraud or harm, or protect our rights; and, in connection with a sale, merger, reorganisation or transfer of our business, to the relevant party and its advisers.
 
We do not sell your personal data.
 

9. Our Group and companies under common control


“Group” means Construction Certification Ltd together with its holding company (if any), and any subsidiary or other company that, from time to time, is under common ownership or control with us, including companies with common directors or shareholders (each a “Group company”).

We may share your personal data with Group companies, and they may use it, for: (a) internal administration, support, IT, security and management reporting; and (b) providing, improving and developing products and Services that may be relevant to you. Each Group company that uses your data for its own purposes does so as a controller and is responsible for its own compliance with data protection law.

Group marketing requires your consent. Group companies will only use your data to send you their own marketing where you have consented to that. Structuring Group marketing around consent is deliberate: it keeps each company – including any holding company – on a sound legal footing and reduces compliance risk for the Group as a whole.
 

10. International transfers


We aim to keep your personal data within the UK. However, some of our providers (for example IT, communications, messaging-app and analytics providers) may process data outside the UK. Where we transfer personal data outside the UK, we ensure a similar degree of protection by relying on a UK “adequacy” regulation for the destination country, or on appropriate safeguards such as the ICO’s International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with any additional measures required. You can ask us for more information about the safeguards we use.
 

11. How long we keep your personal data


We keep personal data only for as long as necessary for the purposes for which we collected it, including to satisfy legal, accounting, tax or reporting requirements and to establish or defend legal claims. In general:
 
•      order, booking, application and transaction records are kept for the duration of our relationship and then for a period that allows us to meet legal and tax obligations and handle disputes (financial records are generally kept for around six years);
 
•      course, exam and certification records are kept for the period required by the relevant Service and any awarding body requirements;
 
•      marketing data is kept until you opt out or withdraw consent and for a reasonable period afterwards; and
 
•      if you ask to be suppressed from marketing, we keep the minimum information needed (such as your email address) on a suppression list to honour your request.
 
When data is no longer needed we will securely delete or anonymise it.
 

12. Special category data and identity information


Where we process special category data (for example health information relevant to a reasonable adjustment), we do so only where an Article 9 UK GDPR condition applies – usually your explicit consent, or because processing is necessary in connection with the establishment, exercise or defence of legal claims, and in line with our data protection policy. We collect the minimum needed and apply additional safeguards. Identification documents and right-to-work information are handled securely and shared only with the relevant card, course or awarding body as needed to deliver the Service.
 

13. Your rights


Subject to certain conditions and exemptions under UK data protection law, you have the right to:
 
•      be informed about how we use your data (this Policy);
 
•      access a copy of the personal data we hold about you;
 
•      rectify inaccurate or incomplete data;
 
•      erase your data in certain circumstances (the “right to be forgotten”);
 
•      restrict or object to our processing in certain circumstances, including, at any time and absolutely, objecting to direct marketing;
 
•      data portability for certain data you provided to us;
 
•      withdraw consent at any time where we rely on consent; and
 
•      not be subject to solely automated decisions producing legal or similarly significant effects (we do not currently make such decisions – see Section 14).
 
How to exercise your rights. Contact us using the details in Section 1. To protect your data we may need to verify your identity. We will respond within one month, which we may extend by up to two further months for complex or multiple requests (we will tell you if so). Exercising these rights is normally free, but we may charge a reasonable fee or refuse a request that is manifestly unfounded or excessive.
 

14. Automated decision-making


We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing. If this changes, we will update this Policy and tell you about your rights.
 

15. Cookies and similar technologies


The Website uses cookies and similar technologies to make it work, to remember your preferences, to measure traffic and performance, and – where you allow it – for analytics and marketing. Cookies are small files placed on your device.
 
•      Strictly necessary cookies are required for the Website to function and do not need your consent.
 
•      Analytics, functionality and marketing cookies (including tag-management and advertising technologies) are used only with your consent, which you give through our cookie banner and can change at any time.
 
You can also control cookies through your browser settings; blocking some cookies may affect how the Website works. We have a cookie management tool on our site whereby you can opt out at anytime, it also gives full details of the cookies we track.
 

16. Children


The Website and Services are intended for business customers and adults purchasing for work-related purposes, and are not directed at children. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps.
 

17. Third-party websites


The Website may link to third-party websites, plug-ins and applications. We do not control those sites and are not responsible for their privacy practices. When you leave our Website, we encourage you to read the privacy policy of every site you visit.
 

18. Keeping your data secure


We use appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, misuse or alteration, including access controls, staff confidentiality obligations and encryption in transit (SSL/TLS) for data submitted through the Website. Payment details are handled by our secure payment provider. No method of transmission or storage is completely secure, so while we work hard to protect your data we cannot guarantee absolute security; you also play a part by keeping your account details confidential. We have procedures to deal with any suspected data breach and will notify you and the ICO where we are legally required to do so.
 

19. Our responsibility for your data


We take our data protection responsibilities seriously. This Section explains the limits of those responsibilities; it does not, and cannot, remove rights you have under data protection law.
 
•      Incorporated and binding. This Policy is incorporated into our Terms and Conditions and forms part of your agreement with us. By using the Website and our Services you acknowledge this Policy.
 
•      Our processing only. We are responsible for personal data we process as a controller as described in this Policy. We are not responsible for how independent controllers – such as CITB, CSCS, test centres, examining boards, awarding bodies, payment providers, partners you have consented to receive marketing from, and third-party websites – use your data under their own privacy policies.
 
•      Accuracy of what you give us. You are responsible for ensuring the information you (or anyone booking on your behalf) provide is accurate, complete and up to date. To the extent permitted by law, we are not responsible for consequences arising from inaccurate, incomplete or out-of-date information that you provide, or from your failure to respond to our requests.
 
•      Bookings on behalf of others. If you provide another person’s data to us, you confirm you are entitled to do so and have made them aware of this Policy.
 
•      Statutory rights preserved. Nothing in this Policy or our Terms and Conditions excludes or limits any liability that cannot be excluded or limited under data protection law or other applicable law, or affects your statutory rights as a data subject, including your right to complain to the ICO. Our general limitations of liability are set out in our Terms and Conditions and apply to the maximum extent the law allows.
 

20. Changes to this Policy


We may update this Policy from time to time. The current version is always available on the Website and applies from the date it is posted. Where changes are significant, we will take reasonable steps to bring them to your attention. Please check this page periodically.
 

21. Complaints


If you have any concern about how we handle your personal data, please contact us first via our Contact Us page or via email at [email protected], so we can try to resolve it. You also have the right to complain to the ICO, the UK supervisory authority for data protection: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; helpline 0303 123 1113; ico.org.uk. We would, however, appreciate the chance to address your concerns before you approach the ICO.
 

Construction Certification 2026 All Rights Reserved.

Sitemap

Construction Certification is a booking agent that works with the constructions industry. Construction Certification is not part of CSCS or CITB.