GDPR Compliance

Understanding GDPR terminology helps you understand your rights:

2.1 Personal Data

Under Article 4 of UK GDPR, Personal Data means any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as:

• Name, identification number, location data
• Online identifier (IP address, cookies)
• One or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity

Examples include: name, email address, phone number, date of birth, IP address, location data, and any other information that can identify you.

2.2 Data Controller

A Data Controller (Article 4) is the entity that determines the purposes and means of processing personal data. Cleaner Pal Ltd. is the data controller for personal data processed through our Platform. We decide what data to collect, why we collect it, and how we use it.

2.3 Data Processor

A Data Processor (Article 4) is an entity that processes personal data on behalf of the controller. Examples include our cloud hosting providers (Google Cloud, Firebase), payment processors (Stripe, PayPal), and verification services (uCheck). We have contracts in place with all processors to ensure they protect your data.

2.4 Processing

Processing (Article 4) is very broadly defined and includes any operation performed on personal data, such as:

• Collection, recording, organization, structuring
• Storage, adaptation, alteration
• Retrieval, consultation, use
• Disclosure by transmission, dissemination, or making available
• Alignment, combination, restriction
• Erasure or destruction

2.5 Personal Data Breach

A Personal Data Breach (Article 4) means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Unlike some regulations that only require notification for breaches involving sensitive data (like social security numbers), GDPR requires notification for breaches involving any personal data if it poses a high risk to your rights and freedoms.

2.6 Consent

Consent (Article 4) under GDPR must be:

• Freely given: You must have a genuine choice
• Specific: Consent must be for a specific purpose
• Informed: You must understand what you're consenting to
• Unambiguous: Clear affirmative action (not pre-ticked boxes or silence)
• Revocable: You can withdraw consent at any time

Consent must be given by a statement or clear affirmative action. We cannot assume consent from silence, pre-ticked boxes, or inactivity.

2.7 Data Subject

A Data Subject is the identified or identifiable natural person whose personal data is being processed. If you use our Platform, you are a data subject.

Data Controller: Cleaner Pal Ltd., a company registered in Northern Ireland
Registered Office: Ground Floor, Gallery Building, 65-69 Dublin Rd, Belfast, BT2 7HG, Northern Ireland
ICO Registration: Registered as a data controller with the Information Commissioner's Office (ICO)
ICO Registration Number: [To be added when registered]

As the data controller, we are responsible for determining the purposes and means of processing your personal data. We are accountable for ensuring compliance with UK GDPR.

Under Article 6 of UK GDPR, we can only process personal data if we have a lawful basis. We process your data under the following legal bases:

4.1 Contract (Article 6(1)(b))

Processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract. Examples:

• Creating and managing your account
• Processing bookings and facilitating services
• Processing payments
• Enabling communication between Users
• Providing customer support
• Managing subscriptions

4.2 Legal Obligation (Article 6(1)(c))

Processing is necessary for compliance with a legal obligation. Examples:

• Right-to-work verification (UK immigration law)
• DBS checks (safeguarding requirements)
• Tax and accounting records (HMRC requirements - 7 years)
• Responding to legal requests and court orders
• Regulatory compliance

4.3 Legitimate Interests (Article 6(1)(f))

Processing is necessary for our legitimate interests, balanced against your rights and freedoms. We conduct a legitimate interests assessment (LIA) for each use case. Examples:

• Safety and Security: Identity verification, background checks, fraud prevention, platform safety
• Platform Improvement: Analytics, research, feature development, service optimization
• Business Operations: Quality assurance, dispute resolution, enforcing terms and policies
• Communication: Important service updates, security alerts, policy changes
• Legal Protection: Defending legal claims, protecting rights and property

You have the right to object to processing based on legitimate interests (see Section 7.6 below).

4.4 Consent (Article 6(1)(a))

Processing is based on your consent. Examples:

• Marketing communications
• Optional cookies and tracking technologies
• Sharing data with third parties for marketing (where explicitly consented)
• Research and surveys
• Non-essential SMS notifications

You can withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

4.5 Vital Interests (Article 6(1)(d))

Processing is necessary to protect the vital interests of you or another person. This is rarely used but may apply in emergency situations.

4.6 Public Task (Article 6(1)(e))

Processing is necessary for the performance of a task carried out in the public interest. This does not typically apply to our operations.

Under Article 5 of UK GDPR, we adhere to the following principles when processing personal data:

5.1 Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and transparently. We inform you about what data we collect and how we use it through this page and our Privacy Policy.

5.2 Purpose Limitation

We collect data for specified, explicit, and legitimate purposes and do not process it in a way incompatible with those purposes. We only use data for the purposes we've told you about.

5.3 Data Minimization

We only collect data that is adequate, relevant, and limited to what is necessary for our purposes. We regularly review what data we collect and delete unnecessary data.

5.4 Accuracy

We take reasonable steps to ensure data is accurate and kept up to date. You can update your information through your account settings, and we encourage you to keep your information current.

5.5 Storage Limitation

We keep data only for as long as necessary for our purposes. We have retention policies that specify how long we keep different types of data (see our Privacy Policy for details).

5.6 Integrity and Confidentiality

We implement appropriate security measures to protect data against unauthorized access, alteration, disclosure, or destruction. See Section 9 below for details.

5.7 Accountability

We are responsible for demonstrating compliance with these principles. We maintain records of processing activities, conduct data protection impact assessments (DPIAs) where required, and have appointed a Data Protection Officer.

As a data subject, you have comprehensive rights under UK GDPR. We are committed to facilitating the exercise of these rights:

6.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data and receive the following information:

• The purposes of processing
• The categories of personal data concerned
• The recipients or categories of recipients to whom data has been or will be disclosed
• The retention period or criteria for determining it
• Your rights (rectification, erasure, restriction, objection, portability)
• The right to lodge a complaint with the ICO
• Information about the source of data (if not collected from you)
• Information about automated decision-making and profiling

How to exercise: You can access much of your data through your account settings, or request a complete data export by contacting us or using the data export feature. We will respond within one month (extendable by two months for complex requests).

6.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete personal data completed. We will respond to rectification requests without undue delay and in any event within one month.

How to exercise: Most information can be updated directly through your account settings. For other corrections, contact us. We may verify your identity before making changes.

If we have shared your data with third parties, we will inform them of the rectification (unless this proves impossible or involves disproportionate effort).

6.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data in the following circumstances:

• The data is no longer necessary for the original purpose
• You withdraw consent and there is no other legal basis
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required for legal compliance

Exceptions: We may refuse deletion if processing is necessary for:

• Exercising the right of freedom of expression and information
• Compliance with legal obligations (e.g., tax records for 7 years)
• Public interest in public health or scientific research
• Establishment, exercise, or defence of legal claims

How to exercise: Request account deletion through your account settings or contact us. We will process deletion requests within one month, subject to legal requirements. If we have shared your data with third parties, we will inform them of the erasure (unless this proves impossible or involves disproportionate effort).

6.4 Right to Restrict Processing (Article 18)

You have the right to restrict processing in the following circumstances:

• You contest the accuracy of data (restriction while we verify accuracy)
• Processing is unlawful and you oppose erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing (restriction while we verify legitimate grounds)

When processing is restricted, we will only process the data (except storage) with your consent, for legal claims, for protection of rights, or for important public interest reasons.

How to exercise: Contact us to request restriction of processing. We will inform you before lifting any restriction.

6.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where:

• Processing is based on consent or contract
• Processing is carried out by automated means

You also have the right to have your data transmitted directly from us to another controller, where technically feasible.

How to exercise: Use the data export feature in your account settings to download your data in JSON format, or contact us. We will provide your data within one month.

Note: This right applies to data you provided to us, not data we derived or inferred.

6.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests (Article 6(1)(f)) or for direct marketing purposes. If you object:

• We must stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms
• For direct marketing, we must stop processing immediately

How to exercise: Opt out of marketing communications through your account settings or contact us. For objections to legitimate interests processing, contact us explaining your objection.

6.7 Rights Related to Automated Decision-Making and Profiling (Article 22)

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect you, unless:

• It is necessary for entering into or performing a contract
• It is authorized by law
• It is based on your explicit consent

We use automated decision-making for:

• Cleaner-client matching based on location and preferences
• Risk assessment for new cleaner applications
• Dynamic pricing algorithms
• Fraud detection

How to exercise: You can request human review of any automated decisions that significantly affect you by contacting us. We will provide meaningful information about the logic involved and the significance and consequences of processing.

6.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

How to exercise: Update your preferences in your account settings or contact us. We will stop processing based on consent immediately upon withdrawal.

To exercise your GDPR rights, you can:

• Self-Service: Use the options in your account settings for data access, export, and deletion
• Email: Contact us at privacy@cleanerpal.com or our Data Protection Officer at dpo@cleanerpal.com
• Post: Write to us at our registered office address

7.1 Response Times

We will respond to your request without undue delay and in any event within one month of receipt (Article 12(3)). This period may be extended by a further two months if the request is complex or we receive multiple requests, and we will inform you of the extension and reasons within one month.

7.2 Identity Verification

We may request proof of identity before processing certain requests to ensure we are responding to the correct person and protecting your data from unauthorized access (Article 12(6)).

7.3 Fees

Exercising your rights is generally free of charge (Article 12(5)). However, we may charge a reasonable fee or refuse to act if requests are manifestly unfounded, excessive, or repetitive, particularly because of their repetitive character. In such cases, we will inform you of the fee and reasons.

7.4 Information Format

We will provide information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language (Article 12(1)). Information will be provided in writing or by other means, including electronic means where appropriate.

7.5 Notification of Third Parties

If we have shared your data with third parties and you exercise your rights (rectification, erasure, restriction), we will inform each recipient of the personal data, unless this proves impossible or involves disproportionate effort (Article 19). We will inform you about those recipients if you request it.

Under Article 32 of UK GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

8.1 Technical Measures

• Encryption: Data in transit encrypted using TLS/SSL. Sensitive data at rest encrypted using industry-standard encryption (AES-256)
• Access Controls: Strict access controls, role-based access, principle of least privilege, access logging
• Authentication: Multi-factor authentication (2FA) available and encouraged, strong password requirements
• Secure Infrastructure: Data stored in secure data centers with physical and logical security, regular security updates
• Network Security: Firewalls, intrusion detection, DDoS protection, regular security monitoring
• Secure Development: Secure coding practices, code reviews, vulnerability scanning, penetration testing
• Backup and Recovery: Regular encrypted backups, disaster recovery procedures, tested recovery plans

8.2 Organizational Measures

• Staff Training: Regular data protection and security training for all staff
• Policies and Procedures: Comprehensive data protection policies, incident response procedures, access control policies
• Data Protection Impact Assessments (DPIAs): Conducted for high-risk processing activities
• Records of Processing: Maintained as required by Article 30
• Data Protection Officer: Appointed to oversee compliance
• Vendor Management: Contracts with processors include GDPR-compliant data processing agreements
• Regular Audits: Security audits, compliance reviews, vulnerability assessments

Under Articles 33 and 34 of UK GDPR, we have obligations regarding personal data breaches:

9.1 Notification to Supervisory Authority

In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to your rights and freedoms (Article 33(1)).

The notification will include:

• Nature of the breach
• Categories and approximate number of data subjects affected
• Categories and approximate number of personal data records concerned
• Likely consequences
• Measures taken or proposed to address the breach

9.2 Notification to Data Subjects

If a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay (Article 34(1)). The notification will include:

• Nature of the breach
• Name and contact details of our Data Protection Officer
• Likely consequences
• Measures taken or proposed to address the breach
• Advice on steps you can take to mitigate risks

We may not notify you if:

• We have implemented appropriate technical and organizational measures (e.g., encryption) that render data unintelligible
• We have taken subsequent measures to ensure the high risk is no longer likely to materialize
• Notification would involve disproportionate effort (in which case we will use public communication instead)

Under Chapter V of UK GDPR, transfers of personal data to countries outside the UK require appropriate safeguards. Some of our service providers process data outside the UK. We ensure appropriate safeguards are in place:

10.1 Adequacy Decisions

Transfers to countries with adequacy decisions (e.g., EU countries) are permitted without additional safeguards.

10.2 Standard Contractual Clauses (SCCs)

We use ICO-approved Standard Contractual Clauses with service providers in countries without adequacy decisions. These clauses provide contractual guarantees about data protection.

10.3 Binding Corporate Rules

Where relevant, we use binding corporate rules for multinational service providers.

10.4 Other Safeguards

We implement additional technical and organizational measures as required by UK GDPR, including:

• Encryption of data in transit and at rest
• Access controls and audit logging
• Regular security assessments
• Data minimization

For more information about international transfers and safeguards, please contact our Data Protection Officer.

We have appointed a Data Protection Officer (DPO) to oversee our data protection compliance. The DPO:

• Monitors compliance with UK GDPR and data protection laws
• Provides advice on data protection impact assessments (DPIAs)
• Acts as a point of contact for data subjects and the ICO
• Cooperates with the ICO
• Provides staff training

Contact the DPO:
Email: dpo@cleanerpal.com
Address: Cleaner Pal Ltd., Ground Floor, Gallery Building, 65-69 Dublin Rd, Belfast, BT2 7HG, Northern Ireland

If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: ico.org.uk
Email: casework@ico.org.uk

We encourage you to contact us first at privacy@cleanerpal.com or our DPO so we can try to resolve your concerns.

Cleaner Pal Ltd.
Ground Floor, Gallery Building
65-69 Dublin Rd
Belfast
BT2 7HG
Northern Ireland

General Inquiries: info@cleanerpal.com
Privacy Inquiries: privacy@cleanerpal.com
Data Protection Officer: dpo@cleanerpal.com