1. Data Controller
1.1. For the purposes of applicable data protection legislation, the data controller for personal data collected through the Service is whatcleaner.
1.2. For data protection enquiries, please contact us via the help form on our help page.
2.1. Account Information
When you register for an account, we collect:
| Data Type | Purpose | Legal Basis |
|---|
| Full name | Account identification, communications | Contract performance |
| Business name | Account identification, invoicing | Contract performance |
| Email address | Account access, communications, notifications | Contract performance |
| Phone number | Account security, support communications | Legitimate interest |
| Password (hashed) | Account security | Contract performance |
| Billing address | Payment processing, tax compliance | Legal obligation |
2.2. Customer Data (Data You Input)
Information you choose to store about your business customers:
- Customer names and contact details
- Service addresses and property information
- Booking history and service records
- Payment records and invoicing data
- Notes and service preferences
Important: You are the data controller for Customer Data. We process this data on your behalf as a data processor. See our Data Processing Agreement for details.
2.3. Technical and Usage Data
We automatically collect:
| Data Type | Purpose | Retention |
|---|
| IP address | Security, fraud prevention, geolocation | 12 months |
| Browser type and version | Service compatibility, troubleshooting | 12 months |
| Device information | Service optimization | 12 months |
| Access timestamps | Security audit, usage analysis | 12 months |
| Page views and feature usage | Service improvement | 24 months (anonymised) |
| Error logs | Bug fixing, service reliability | 90 days |
2.4. Payment Information
Payment card details are collected and processed directly by our payment processor, Stripe. We do not store complete card numbers. We receive and store only:
- Last four digits of card number (for identification)
- Card expiry date
- Billing address
- Transaction records
3. Legal Basis for Processing
Under UK GDPR, we process your personal data on the following legal bases:
| Processing Activity | Legal Basis (GDPR Article 6(1)) |
|---|
| Providing the Service | (b) Contract performance |
| Account authentication | (b) Contract performance |
| Payment processing | (b) Contract performance |
| Transactional emails | (b) Contract performance |
| Customer support | (b) Contract performance / (f) Legitimate interest |
| Onboarding communications | (f) Legitimate interest |
| Security and fraud prevention | (f) Legitimate interest |
| Service improvement analytics | (f) Legitimate interest |
| Tax and legal compliance | (c) Legal obligation |
| Marketing (if opted in) | (a) Consent |
4. How We Use Your Information
4.1. Service Provision: To provide, maintain, and improve the Service, process transactions, and manage your account.
4.2. Communications: To send essential service communications including:
- Account verification and password reset emails
- Payment receipts and billing notifications
- Service announcements and updates
- Onboarding guidance and support communications
4.3. Security: To detect, prevent, and investigate security incidents, fraud, and terms violations.
4.4. Legal Compliance: To comply with applicable laws, regulations, and legal processes.
4.5. Service Improvement: To analyse usage patterns and improve the Service functionality and user experience.
4.6. Anonymous Industry Insights: To generate aggregated, anonymised statistics about the UK cleaning industry (see Section 5).
5. Anonymous Aggregated Industry Data
Privacy-First Approach: No Personal Data Exposed
We generate industry insights using only aggregated, anonymised data. Individual businesses, customers, or transactions cannot be identified from this data.
5.1. What We Aggregate: We compile anonymous statistics across all users to understand industry trends. This includes:
| Aggregated Metric | Example Output | Personal Data? |
|---|
| Average job prices | "Average cleaning job: £35" | No - aggregate only |
| Service frequency preferences | "65% prefer fortnightly cleans" | No - aggregate only |
| Popular booking days | "Wednesday most popular" | No - aggregate only |
| Customer retention rates | "70% customer retention" | No - aggregate only |
| Payment method trends | "45% use bank transfer" | No - aggregate only |
| Geographic distribution | "SW postcodes most active" | No - postcode area only |
5.2. What We Never Include:
- Business names, owner names, or contact details
- Customer names, addresses, or identifying information
- Specific transaction amounts or dates
- Any data that could identify an individual business or person
5.3. How We Use This Data:
- Publishing industry benchmark reports and statistics
- Informing marketing content about cleaning industry trends
- Improving our Service based on aggregate usage patterns
- Providing users with industry comparisons (e.g., "your pricing is above average")
5.4. Legal Basis: We process this anonymised data under legitimate interest (GDPR Article 6(1)(f)). Once data is fully anonymised, it falls outside the scope of personal data protection requirements, as it cannot be used to identify any individual.
5.5. Opting Out: Since this data is fully anonymised and cannot be linked back to you, there is no mechanism to "opt out" of anonymous aggregation. However, you can always delete your account to remove your underlying data from future aggregations.
6. Data Sharing and Disclosure
6.1. We Do Not Sell Your Data. We never sell, rent, or trade your personal information to third parties for marketing purposes.
6.2. Service Providers (Sub-processors): We share data with trusted third-party providers who assist in operating our Service:
| Provider | Purpose | Data Processed | Location |
|---|
| MongoDB Atlas | Database hosting | All Service data | UK/EU |
| DigitalOcean | Application hosting | Application data | UK/EU |
| Stripe | Payment processing | Payment data, billing info | UK/EU (with US processing) |
| MailerSend | Email delivery | Email addresses, names | EU |
| Sentry | Error monitoring | Technical data, IP (anonymised) | US |
5.3. Legal Disclosure: We may disclose information if required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, safety, or property.
5.4. Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you of any such change.
7. International Data Transfers
6.1. Your data is primarily stored and processed in the UK and European Economic Area (EEA).
6.2. Where data is transferred outside the UK/EEA (e.g., to US-based sub-processors), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the UK ICO
- Data processing agreements with all sub-processors
- Verification of adequate security measures
8. Data Security
7.1. We implement appropriate technical and organisational measures to protect your data, including:
- Encryption: TLS/SSL encryption for data in transit; encryption at rest for sensitive data
- Access Controls: Role-based access, multi-factor authentication for administrative access
- Password Security: Bcrypt hashing with salting; never stored in plain text
- Infrastructure: Secure cloud hosting with regular security updates
- Monitoring: Automated security monitoring and intrusion detection
- Audit Logging: Comprehensive audit trails for security-relevant events
7.2. Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
9. Data Retention
8.1. Active Accounts: We retain your data for as long as your account is active and as needed to provide the Service.
8.2. After Account Deletion:
- Customer Data: Deleted within 30 days of account deletion
- Backup copies: Removed within 90 days
- Anonymised analytics: May be retained indefinitely
8.3. Legal Retention: We may retain certain records longer as required by law:
- Financial/tax records: Up to 7 years (UK legal requirement)
- Consent records: 7 years after last interaction
- Legal dispute records: Duration of any legal proceedings plus 6 years
10. Your Data Protection Rights
Under UK GDPR, you have the following rights:
| Right | Description |
|---|
| Access | Request a copy of personal data we hold about you |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of your data (subject to legal retention requirements) |
| Restriction | Request limitation of processing in certain circumstances |
| Portability | Receive your data in a structured, machine-readable format |
| Object | Object to processing based on legitimate interests |
| Withdraw Consent | Withdraw consent for consent-based processing at any time |
9.2. Exercising Your Rights: To exercise any of these rights, please contact us via our help page. We will respond within one month as required by law.
9.3. Right to Complain: You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
11. Cookies and Tracking Technologies
We use cookies and similar technologies to operate the Service. For detailed information about our cookie practices, please see our Cookie Policy.
12. Children's Privacy
11.1. The Service is intended for business use and is not directed at individuals under the age of 18.
11.2. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.
13. Changes to This Privacy Policy
12.1. We may update this Privacy Policy from time to time. Material changes will be notified via email or prominent notice within the Service.
12.2. The "Effective Date" at the top of this policy indicates when it was last revised.
12.3. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.
For privacy-related enquiries or to exercise your data protection rights, please contact us via the help form on our help page.