1. Introduction
1.1
This privacy policy explains how and why Crescent Purchasing Consortium (CPC) and its subsidiary companies (referred to as "we", "us" or "our") collect and use your personal data under the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1.2
CPC currently has one subsidiary which it wholly owns. This is Crescent Services (TPS) Limited (referred to as "CSL"). Its purpose is to service the wider public sector. All profits are gift-aided to CPC and designated for use in the furtherance of CPC's charitable objectives.
All CSL customers are registered as CPC members which allows them access to the procurement benefits of CPC membership, the exception being access to grant funding which is designated purely for educational institutions.
1.2
CPC acts as the Data Controller in respect of the personal data we process.
1.3
If you have a query about this privacy notice, please contact our data protection officer by emailing [email protected]. Alternatively, you can contact in writing at the following address: Procurement House, Unit 23, Leslie Hough Way, Salford M6 6AJ.
1.4
We regularly review this notice, so you are always aware of:
What information we collect.
How we use it.
What circumstances, if any, we will share it with other parties.
1.5
This privacy policy was last updated on 26 March 2026.
2. What personal data we collect and how we collect it
2.1
Most of the personal data we collect is provided directly to us by you when you:
Subscribe to CPC membership.
Access our managed or on-demand consultancy service.
Access our frameworks.
Make a complaint or enquiry.
Attend an event organised by CPC or attended by CPC (such as the Schools and Academies Show) as well as events attended by CSL.
Visit our website (which includes pages dedicated to CSL).
Apply for a job with us.
Engage with our social media accounts and communicator tool.
2.2
The personal data we collect will include your:
Name.
Business address.
Business email address.
Job title.
Contact phone numbers.
IP (Internet Protocol) address.
Social media handles.
CV including home address, personal contact details and employment details.
2.3
Calls made to our helpdesk are not recorded at present. Phone numbers, from incoming calls to our helpdesk are recorded so we can return your call, if required to help with your request.
2.4
We may also collect personal data specified in 2.2 by viewing your company website.
2.5
We use several different cookies on our site to improve your experience. If you do not know what cookies are, or how to control or delete them, then we recommend you visit http://www.aboutcookies.org for detailed guidance.
2.6
We use Cloudflare Zaraz to manage the loading of third-party scripts and tools on our website. This technology allows us to process data more efficiently which improves website speed and security. By using this service, we can coordinate our various analytics and support tools through a single, secure manager.
2.7
While we provide information below on the categories of cookies we use, please note that we are moving towards a more granular consent model. Currently, you can manage your privacy by deleting cookies after your visit or by using your browser's anonymous usage setting (e.g., "Incognito" in Chrome or "Private Browsing" in Firefox).
2.8
First Party Cookies: These are cookies that are set by this website directly. We make use of both session cookies and persistent cookies to provide a fluid and consistent service, such as maintaining your login session and protecting our web forms from security threats. We deem these as being strictly necessary to the working of the website. If these are disabled, then we expect that certain features of the website will not function correctly.
2.9
More information on the different types of cookies and what they are used for can be found at:
Session Cookies
Persistent Cookies
2.10
Analytics and Performance: We use Google Analytics 4 to collect information about visitor behaviour. This helps us understand which pages are popular and how users navigate the site. We also utilise Ahrefs to monitor our search engine performance and site health. This data is collected anonymously and is used solely to improve our services for members.
2.11
Support and Communication: To provide real-time assistance, we utilise a Web Chat service provided by Tawk.to. This service uses functional cookies to ensure your chat session remains active and connected as you move between different pages on our website.
2.12
Marketing and Outreach: We use Google Ads and LinkedIn Insight Tags to measure the effectiveness of our communication efforts. These tools help us ensure our procurement advice and framework updates are reaching the relevant audience within the education and wider public sectors.
3. Use of personal data
3.1 We use the information that you have given us in the following ways:
To provide an appropriate level of service.
To improve our website and services.
To make sure we are meeting the needs of our members and customers.
To understand how users interact with our website.
To respond effectively to queries raised. Note, if we request further information from you to help provide you with the most accurate answer possible, we will always explain at the outset our reasoning behind the request for additional information.
From time to time, we may send you marketing emails regarding CPC and CSL events, training and other membership benefits.
We periodically send out a newsletter to all CPC members with relevant articles about new services, frameworks, special offers or other information which we believe will be of interest to you.
We periodically send out news and marketing campaigns via Mailchimp and Outlook to all our framework suppliers, signposting industry news and marketing opportunities.
3.2
You have the option to "opt-out" or reduce the volume of e-mails you receive from us at any time by contacting our helpdesk via the CPC website.
3.3
We use Mailchimp to send out our newsletters and you are always free to unsubscribe from them, however, as long as you are a member or framework supplier with CPC, we may use Mailchimp to send you information about your account.
4. Sharing personal data
4.1 We share your personal data with the following third parties, where relevant.
Our employees, to enable us to provide a professional service to both members and suppliers.
Other CPC members (excluding CSL customers) through our National and Regional Procurement Advisory Groups (PAGs) and the Further Education Facilities Management Network (FEFMN), this is to facilitate collaboration and knowledge sharing between members and to advance research in procurement.
Our framework suppliers who may send marketing material direct to members via email to promote goods or services.
Third-party technology and service providers that help us deliver our digital services, including Cloudflare (website security and script management), Tawk.to (web chat), Ahrefs (SEO), Mailchimp and Lemlist (marketing), and Survey Monkey (research).
Other third parties that may be used in the organisation of events such as our annual supplier awards.
Our professional advisors should the need arise, Weightmans (solicitors), Risk2Value (insurance advisors) and Hiscox (CPC insurance broker).
4.2 We will not:
sell, distribute, or grant access to your personal data to third parties (not mentioned above) unless we have your express written permission or are required to do so by law.
be aggressive or coercive in the way we request information from you.
5. How we keep personal data safe
5.1
We protect the information you give us using physical, electronic and management procedures on use of personal data. Industry-standard secure sockets layer (SSL) encryption is used on the web pages where we collect personal data.
5.2
We manage risk around use of personal data using processes incorporated in achieving Cyber Essentials Plus accreditation and other internal, audited controls. We commission external consultants each year to perform penetration testing on our systems as part of our aspiration to gain ISO 27001 - Information Security Management accreditation.
5.3
Our data is backed up each day on the Azure cloud platform using global datacentres with encryption measures for both data at rest or in transit.
6. How long we keep personal data
6.1
We keep your personal data only for as long as is reasonably necessary for the purposes of providing our services as identified in section 3.
6.2
CPC member and CSL customer data is kept for as long as your institution remains a member of CPC.
6.3
Supplier data (framework bidders) is kept in line with the requirements of the Public Procurement Regulations. Framework supplier data is kept for the duration of the contract in line with ICO (Information Commissioner's Office) retention guidelines.
6.4
Following the relevant retention period your personal data is deleted.
6.5
Personal data of employees and applicants are kept in line with ICO retention guidelines and then deleted.
7. International data transfers
7.1
We do not transfer your personal data outside of the EEA (European Economic Area).
7.2
Where your personal data may be backed-up on servers outside of the EEA or where a third-party may process your personal data outside of the EEA we will try to ensure your personal data gets the same protection as in the EEA.
8. Your rights under data protection law
8.1
You have certain rights under the UK GDPR (General Data Protection Regulation) and the Data Protection Act 2018.
8.2 You may have a right to request:
A copy of the information that CPC or its subsidiary companies hold about you (the right of access). See section 10. Subject Access Request (SAR).
That anything inaccurate in your personal data is corrected (the right to rectification).
That we remove your personal data (the right of erasure).
That we use your personal data only in specific circumstances (the right to restrict processing).
That we stop processing your personal data (the right to object).
That we provide your data in a readable format (right of data portability).
That you have human contact and be protected against automated systems (rights in relation to automated decision-making and profiling).
9. Legal basis for processing your personal data
9.1
Under data protection law we must have a legal basis to collect, store and use your personal data.
9.2
The legal basis for processing the personal data that we collect is:
When you have given consent (for example, by registering as a CPC member).
When we make a contract with you (for example, employment with us or becoming a framework supplier).
To protect our legitimate interest of developing and providing our services and growing our business.
In the exercise of our legal duties (for example, where we are required to share information in accordance with legislation, to prevent fraud or due to a court order).
Necessary to perform a task in the public interest.
10. Subject Access Request
10.1
You can send a personal data request by emailing [email protected].
10.2
Alternatively, you can write to us at:
The Data Protection Officer
Crescent Purchasing Consortium
Procurement House
Unit 23, Leslie Hough Way
Salford
M6 6AJ
11. How to complain
11.1
If you are not happy with how CPC has dealt with your request or how it manages your personal data you have the right to complain to the Information Commissioner's Office (ICO), the UK regulator on data protection.
11.2
You can make a complaint by phone on 0303 123 1113, or via the ICO website: Information Commissioner's Office (ICO)