Galliford Try is committed to protecting your personal data and handling it lawfully, fairly and transparently. This Privacy Notice explains how we collect, use, store and share personal data through our website and when you contact us or interact with us by other means. It also explains your rights and how to contact us if you have any questions.

1. What this notice applies to

This notice applies to personal data collected by or on behalf of Galliford Try via our website, by email, by telephone, by post, through social media, in person, or through other business interactions. It applies to website visitors, customers, prospective customers, suppliers, subcontractors, professional contacts and other individuals whose personal data we process in connection with our business activities.

2. Who we are

Galliford Try Group is made up of different legal entities and this Privacy Notice is issued on behalf of Galliford Try Group. Unless we tell you otherwise, Galliford Try Employment Limited is the controller of your personal data.

We have an appointed Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact them using the information set out below:

·       The Data Protection Officer

·       c/o The Company Secretary

·       Galliford Try Holdings plc

·       Blake House, 3 Frayswater Place, Cowley, Uxbridge, UB8 2AD

·       Email: dpo@gallifordtry.co.uk

3. The law we comply with

We process personal data in accordance with the UK’s data protection regime, which includes:

·       Data Protection Act 2018

·       The retained EU General Data Protection Regulations;

·       Data (Use and Access) Act 2025; and

·       Privacy and Electronic Communications Regulations.

For the purposes of this Privacy Notice, the entirety of the applicable data protection legislation and regulation is referred to as the “Data Protection Regime (DPR)".

4. The personal data we collect

The personal data we collect depends on how you interact with us. It may include:

·       Identity and contact data: such as your name, job title, employer, postal address, telephone number, and email address;

·       Enquiry and correspondence data: such as the details you provide when you contact us and records of our communications with you;

·       Business relationship data: such as contractual details, supplier information, service information, transaction details, financial information and other payment information;

·       Technical and usage data: such as IP address, browser type, device information, website usage information and security logs;

·       Location data: where this is derived from your device, your IP address or the place from which you access our services;

·       Marketing preferences: such as your communication preferences and any opt-in or opt-out choices you make;

·       Publicly available information: such as Companies House records or information made publicly available on professional networking sites or websites;

·       Identification and due diligence information: where required, such as copies of identity documents or other compliance information; and

·       Health and safety information: where necessary to safeguard our employees, contractors, visitors and the public.

5. How we collect personal data

We collect personal data:

·       directly from you when you complete forms, make enquiries, register for updates, request services or otherwise contact us;

·       from your use of our website and systems, including through cookies and similar technologies;

·       from third parties we work with, such as suppliers, subcontractors, agents, analytics providers, social media platforms, public authorities, public registers and publicly available sources; and

·       from organisations or individuals who introduce you to us or who are otherwise involved in our business relationship with you.

6. How and why we use your personal data

We may use your personal data to:

·       respond to your enquiries, requests and complaints;

·       provide, manage and improve our products, services and website;

·       administer our relationship with customers, suppliers, subcontractors and other business contacts;

·       send service communications and, where permitted, marketing communications about our services, events and updates;

·       monitor and improve the performance, content and security of our website and systems;

·       carry out analytics, planning, reporting and business administration;

·       manage payments, debt recovery, financial controls and audit activities;

·       comply with our legal and regulatory obligations;

·       detect, prevent, investigate and report fraud, cyber security threats and other unlawful activity;

·       protect the health, safety, wellbeing and security of our employees, contractors, visitors and the public; and

·       manage corporate transactions, restructuring or the sale or acquisition of any part of our business where relevant.

7. Our legal right for processing

We rely on one or more of the following legal rights under the DPR:

·       Contract – where processing is necessary to enter into or perform a contract with you or your organisation.

·       Legal obligation – where processing is necessary for us to comply with the law.

·       Legitimate interests – where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include operating and improving our business, maintaining website and information security, managing relationships, preventing fraud, and promoting our services responsibly.

·       Consent – where we ask for and rely on your consent, for example for certain marketing or cookie-related activities.

Where we process special category personal data, we will only do so where the law allows us and an additional condition under data protection law applies.

8. Marketing

Where permitted by law, we may send you information about our services, events, updates or other information that may be of interest to you. You can opt out of marketing communications at any time by using the unsubscribe link in any email, updating your preferences where available, or by contacting us using the details in this notice.

9. Cookies and similar technologies

Our website uses cookies and similar technologies, such as analytics tools, tags and other storage or access technologies, to operate the site, enhance user experience, understand how visitors use the site, and support security and performance.

We use the following categories of cookies and similar technologies:

·       Strictly necessary technologies – required for the operation, security and core functionality of the website.

·       Analytics technologies – used to help us understand how our website is used and how it can be improved.

·       Preference technologies – used to remember settings or choices where applicable.

·       Marketing technologies – used only where applicable and where the relevant legal requirements are met.

Where consent is required, we will request your consent before placing non-essential technologies on your device and will provide you with a clear way to manage your choices. For more information, including the current cookies we use and how to manage your preferences, please see our Cookie Notice or the cookie settings tool available on our website.

10. Automated processing, analytics and AI-enabled tools

We may use automated tools, including website analytics, cyber security monitoring, spam filtering and other technology-assisted processes, to help us operate our website, protect our systems and improve our services. We do not currently make decisions about individuals based solely on automated processing. Where we use technology-assisted tools, appropriate human oversight remains in place.

11. Who we share personal data with

We may share personal data where necessary and  in compliance with the DPR with the following categories of recipients:

·       companies within the Galliford Try Group;

·       IT, hosting, cloud and software service providers;

·       website, analytics, communications and marketing service providers;

·       professional advisers, auditors, insurers and bankers;

·       suppliers, subcontractors, agents and consultants who support our business operations;

·       payment service providers and debt recovery agents where relevant;

·       regulators, courts, law enforcement agencies, government bodies and other authorities where required or permitted by law;

·       other third parties where you have asked us to do so or where you have otherwise given your consent.

Where third parties process personal data on our behalf, we require them to act only on our instructions, keep the data secure and comply with the DPR.

12. International transfers

Some of our suppliers or service providers may process personal data outside the UK. Where we transfer personal data internationally, we will ensure that appropriate safeguards are in place as required by law. These safeguards may include the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, an adequacy regulation, or another lawful transfer mechanism. We may also carry out transfer risk assessments and implement supplementary security measures where appropriate.

13. How we protect personal data

We use appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures include access controls, authentication measures, encryption where appropriate, logging and monitoring, security testing, supplier due diligence and staff confidentiality and awareness measures.

14. How long we keep personal data

We keep personal data only for as long as necessary for the purposes for which it was collected, including to meet legal, regulatory, tax, accounting, health and safety, reporting or contractual requirements and to establish, exercise or defend legal claims.

Retention periods vary depending on the type of data and the purpose of processing. By way of example:

·       general enquiries and correspondence are typically retained for up to 12 months after closure unless a longer period is required;

·       marketing preferences are retained until you unsubscribe or, where applicable, for a reasonable period after our last meaningful interaction with you;

·       customer, supplier and contractual records are typically retained for the duration of the relationship and for up to 6 years afterwards, unless a longer retention period is required by law or for legal claims;

·       website technical logs and security records are retained for a period appropriate to security, investigation and audit needs; and

·       cookie retention periods are set out in our Cookie Notice or cookie settings tool.

Where retention periods cannot be stated precisely, we determine them by considering the nature and sensitivity of the data, the purpose for which it is used, legal and regulatory requirements, and any limitation periods or dispute risks that apply.

15. Your rights

Under the DPR, you may have the right to:

·       be informed about how your personal data is used;

·       request access to the personal data we hold about you;

·       request correction of inaccurate or incomplete personal data;

·       request erasure of your personal data in certain circumstances;

·       request restriction of processing in certain circumstances;

·       object to processing where we rely on legitimate interests and, in particular, to direct marketing;

·       request the transfer of certain personal data to you or another organisation in a structured, commonly used and machine-readable format where the right applies;

·       withdraw consent at any time where we rely on consent; and

·       challenge or request human review of any solely automated decision-making that has legal or similarly significant effects, if applicable.

These rights are not absolute and may not apply in every case. If an exemption applies or we are unable to comply with your request, we will explain why, subject to any legal restrictions.

16. How to exercise your rights

You can exercise your rights by contacting the DPO using the contact details above. You can make a request in writing or by email. We may ask for information to confirm your identity where this is necessary to protect personal data and verify that we are dealing with the correct person.

We will usually respond within one month, although this may be extended where the law allows.

17. Complaints

If you have any concerns about how we use your personal data, please contact us first so that we can try to resolve the issue. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection. More information is available at https://ico.org.uk/.

18. Third-party websites

Our website may contain links to third-party websites or services. These websites have their own privacy notices and we are not responsible for their content, privacy practices or security. Please review their privacy notices before providing any personal data to them.

19. Changes to this notice

We may update this Privacy Notice from time to time to reflect changes in law, regulation, technology, our business activities or our data processing practices. Any updates will be posted on this page and, where appropriate, notified to you in another suitable way.

This notice was last updated June 2026 (V2.0).