Verlux Group | Effective Date: March 2026 | Last Updated: March 2026
This Privacy Policy describes how Verlux Group collects, uses, stores, and protects personal data obtained through our website (www.verluxgroup.com) and in the course of delivering our services. We are committed to full compliance with the UK General Data Protection Regulation (UK GDPR), the EU GDPR, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and applicable US state privacy laws including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
Verlux Group is the data controller responsible for your personal data. We determine how and why your data is processed.
Contact for all data matters: Email: info@verluxgroup.com | Website: www.verluxgroup.com | Subject line: 'Data Protection Enquiry'
UK residents may lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk. Canadian residents may contact the Office of the Privacy Commissioner at www.priv.gc.ca. California residents have additional rights under the CCPA/CPRA as described in Section 8.
When you submit an enquiry, book a consultation, or subscribe to our newsletter, we may collect: full name, email address, phone number, country and city of residence, details about your property or development project in Jamaica, communication preferences, and any other information you voluntarily include in messages or forms.
When you visit our website, we may automatically receive: IP address and general geographic location (country/region level), browser type and version, device type and operating system, pages visited, time on page, and navigation path, referring URL or search query. We do not currently use analytics platforms, advertising pixels, or behavioural tracking software. Any future implementation of such tools will be reflected in an updated Cookie Policy and will require your consent where required by law.
If you book a consultation via a third-party scheduling platform, that platform collects your booking information under its own privacy policy. We receive only the confirmation details needed to fulfil your appointment.
Performance of a contract or pre-contractual steps (UK/EU GDPR Article 6(1)(b)): Processing your enquiry, communicating about your project, and delivering our services.
Legitimate interests (UK/EU GDPR Article 6(1)(f)): Improving our website and services, maintaining records of business correspondence, and protecting our legal rights. We have determined our legitimate interests are not overridden by your fundamental rights and freedoms.
Consent (UK/EU GDPR Article 6(1)(a); PIPEDA Schedule 1 Principle 3): Sending newsletter or marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal obligation (UK/EU GDPR Article 6(1)(c)): Complying with applicable laws, regulations, court orders, or governmental requests.
• Responding to your enquiries and consultation requests • Delivering, managing, and improving our project oversight and advisory services • Sending newsletters or updates where you have explicitly consented • Maintaining accurate business and engagement records • Complying with our legal and regulatory obligations • Detecting, preventing, or investigating fraud or misuse of our services
We will never sell, rent, licence, or trade your personal data to any third party for their own marketing, advertising, or commercial purposes.
Service providers: We use trusted third-party providers to support our operations. These providers are contractually required to process your data only on our instructions, maintain confidentiality, and implement appropriate security. They are not permitted to use your data for their own purposes.
Professional advisors: Where your project requires introduction to licensed professionals, we share only the information necessary and only with your knowledge.
Legal and regulatory requirements: We may disclose data if required by law, court order, or governmental authority, or where necessary to protect our legal rights.
Business transfers: In the event of a merger, acquisition, or sale, your data may transfer to the successor entity. You will be notified before your data becomes subject to a materially different privacy policy.
Our primary client base is in the United Kingdom, United States, and Canada. Our operations are based in Jamaica. When we transfer personal data internationally, appropriate safeguards are in place.
• UK/EU transfers: we rely on adequacy decisions, Standard Contractual Clauses (SCCs), or other lawful mechanisms recognised under UK/EU GDPR • Canadian residents: we comply with PIPEDA requirements for transfers to third-party jurisdictions, ensuring comparable levels of protection • California residents: we comply with CCPA/CPRA requirements for all data handling and cross-border transfers
• Enquiry and pre-engagement data: up to 24 months from last contact • Active client engagement data: duration of engagement plus 7 years for legal and contractual compliance • Newsletter consent data: until you unsubscribe, plus 12 months for record-keeping • Automatically collected website data: up to 13 months
On expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised.
• Right of access — obtain a copy of the personal data we hold about you • Right to rectification — request correction of inaccurate or incomplete data • Right to erasure — request deletion, subject to legal exceptions • Right to restrict processing — limit how we use your data in certain circumstances • Right to data portability — receive your data in a structured, machine-readable format • Right to object — to processing based on legitimate interests or for direct marketing • Right to withdraw consent — at any time, without affecting prior lawful processing • Right to lodge a complaint — with the ICO (UK) or your national supervisory authority
You have the right to access the personal information we hold about you, to challenge its accuracy, and to withdraw consent to its collection or use, subject to legal or contractual constraints. You may file a complaint with the Office of the Privacy Commissioner of Canada.
• Right to know — what personal information we collect, use, disclose, or sell • Right to delete — request deletion of your personal information, subject to exceptions • Right to correct — request correction of inaccurate personal information • Right to opt out of sale or sharing — we do not sell or share personal information • Right to non-discrimination — we will not discriminate against you for exercising any right
To exercise any right, please email info@verluxgroup.com with the subject line 'Privacy Rights Request'. We will respond within 30 days (UK/EU/Canada) or 45 days (California), extendable where reasonably necessary.
• Encrypted communication channels • Access-controlled document and file storage • Restricted internal access on a need-to-know basis • Use of reputable third-party platforms with established security standards
In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by law.
Our services are not directed to individuals under 18. We do not knowingly collect data from minors. If you believe we have inadvertently received such data, please contact info@verluxgroup.com immediately.
We may update this Privacy Policy periodically. The 'Last Updated' date will be revised with each change. For material changes, we will provide prominent notice. Continued use of our website after any update constitutes acknowledgement of the revised policy.
This Privacy Policy is governed by the laws of Jamaica, without prejudice to any statutory rights you hold under UK GDPR, EU GDPR, PIPEDA, or applicable US state law.
Email: info@verluxgroup.com Website: www.verluxgroup.com Subject line: 'Data Protection Enquiry'