Castle Clean & Management are committed to safeguarding and preserving the privacy of all personal data which may be provided to our company in relation to:
The ongoing running of and organisation of our legitimate business activities or services;
visits to our websites or mobile applications; or any other interaction with us.
This may include personal data that you provide to us, or that we collect from you.
Castle Clean & Management are processing your personal data to provide cleaning services. The legal basis for processing your personal data is legitimate interests to meet our contractual obligations to customers in relating to providing cleaning and associated services; and to respond to potential customer enquiries.
Furthermore to promote the cleaning and associated services offered by Castle Clean & Management and/or to market the services offered by Castle Clean & Management to existing customers.
Your personal data is passed to our cleaning team in order for them to carry out their contract with Castle Clean & Management and clean your property.
Your personal data is passed to Xero who manage our CRM system.
We will update this Policy from time to time to keep us in line with current EU and UK Legislation, therefore you may wish to re-visit this to view any up to data content.
Terms and Definitions
We have written our privacy policy in clear and transparent language, as we believe it should be easily understandable. However, there are a number of terms or definitions used throughout this Policy which we feel warrants further explanation below.
General Data Protection Regulation (GDPR): the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data.
Data Processing: any operation performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Processor: the entity that processes data on behalf of the Data Controller.
Data Protection Authority: national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union.
Data Protection Officer (DPO): an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR.
Data Subject: a natural person whose personal data is processed by a controller or processor.
Personal Data: any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person
Profiling: any automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour.
Regulation: a binding legislative act that must be applied in its entirety across the Union.
Subject Access Right: also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.
Who are we?
Where this Policy refers to `we`, `us`, `our` it refers to Castle Clean & Management. Our business provides domestic and commercial cleaning services.
We act as sole Data Controller only in our capacity as an employer and in relation to any data submitted via our website contact form which is separate from, and not in relation to direct instructions received from our existing customers. Our employees have been provided with further information on privacy via our Employee Handbook which is an internal document.
Contact Details for Data Controller
The Data controller is: Castle Clean & Management 20 Balksyde, Slingsby, York, YO62 4AG
Data protection enquiries should be directed to the above address or by emailing hello@castleclean.co.uk or by telephone.
Our Data Protection Principles
Principle 1: Lawfulness, Fairness and Transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. This means, Castle Clean & Management must tell the data subject what processing will occur (transparency), the processing must match the description given to the data subject (fairness), and it must be for one of the purposes specified in the applicable data protection regulation (lawfulness).
Principle 2: Purpose Limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means Castle Clean & Management must specify exactly what the personal data collected will be used for and limit the processing of that personal data to only what is necessary to meet the specified purpose.
Principle 3: Data Minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. This means Castle Clean & Management must not store any personal data beyond what is strictly required.
Principle 4: Accuracy
Personal data shall be accurate and, kept up to date. This means Castle Clean & Management must have in place processes for identifying and addressing out-of-date, incorrect and redundant personal data.
Principle 5: Storage Limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. This means Castle Clean & Management must, wherever possible, store personal data in a way that limits or prevents identification of the data subject.
Principle 6: Integrity & Confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage. Castle Clean & Management must use appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data is maintained at all times.
Principle 7: Accountability
The Data Controller shall be responsible for, and be able to demonstrate compliance. This means Castle Clean & Management must demonstrate that the six data protection principles (outlined above) are met for all personal data for which it is responsible.
What Personal Data will we Collect
We will collect information from the data subject where one of the following apply:
The nature of the business necessitates collection of the personal data.
Collection of personal data may be carried out under emergency circumstances in order to protect the vital interests of the data subject; or to prevent serious loss or injury to another person.
How we will communicate
We will use the information collected to:
provide legitimate documentation to employees and customers relating directly to the proper performance of our business services;
process quotations, invoices and other financial information relating to the services provided to you;
communicate via telephone and email regarding the services you receive, or advise of matters of safety in relation to services;
discuss and provide information to legitimate suppliers or sub contractors of associated services in order that those services can be provided as per our service agreement;
The use of such data is based on legitimate business interests in providing services to you. In you making initial contact with us, you consent to us maintaining a dialogue with you until you either opt out (which you can do at any stage) or until services are cancelled by either party. We may also act on behalf of our customers in the capacity of data processor. When working exclusively as a data processor, we will act on the instruction of our customer, and we will work hard to ensure that the customer remains fully GDPR compliant.
Website Privacy
People accessing our website (ie Data Subjects) may visit our site anonymously. We will collect personal data from users only where it is voluntarily submitted and any such information provided to us is deemed part of taking part in the activity of the site.
Users contacting us via our website enquiry form do so at their own discretion. Personal details provided for the purposes of a website enquiry may include, but are not limited to:
Name;
Phone number;
email address;
additional data which the enquirer may provide which may include an address or mobile phone number etc.
Our website enquiry form does not store or retain information. Information is passed securely via email to the company’s owner. Personal data provided is kept private and stored securely until such time it is no longer required or has no further use. Whilst we have made every effort to ensure a safe and secure contact form to email submission process; we do advise users that in providing personal data that they do so at their own risk.
By using this site, you signify your acceptance of this policy. If you do not agree to this policy, please do not use our site. Your continued use of the site following the posting of changes to this policy will be deemed your acceptance of those changes.
No personal details from our website are passed on to third parties, nor shared with other companies or people outside of the company that operates the website. We use Google Analytics to gather data on our website visitors for marketing purposes. All data is anonymous, and no personally identifiable information is collected.
Although our website only looks to include quality, safe and relevant external links, users should always adopt a policy of caution before clicking any external web links mentioned throughout this website.
Disclosure of Information
We may on occasion be required to pass your personal information to a third party exclusively to process work on our behalf; or where there is a legal requirement to do so. We require these parties to agree to process this information based on our instructions and requirements consistent with this Privacy Policy and GDPR Regulations.
We do not broker or pass on information to third parties for marketing purposes, or any other purpose not associated with our business needs, without your consent. However, we may disclose personal data to meet legal obligations, regulations or valid government department requests. We may also enforce our Terms and Conditions, including investigating potential violations of our Terms and Conditions to detect, prevent or mitigate fraud or security or technical issues; or to protect against imminent harm to the rights, property or safety of our business, our customer.
How Long will we Retain Data For
Data will only be held for as long as necessary to fulfil the purpose of the processing of such data and for statutory or legal reasons.
We will store customer data for the duration of our contractual relationship and up to a period of three years after our contractual relationship has ended. This may be for financial requirement or if we believe it may be necessary to handle any future potential complaints or claims.
We will store customer contact data for as long as you wish to receive information and service communications from us.
Your Rights as a Data Subject
At any point whilst we are in possession of, or processing your personal data, all data subjects have the following rights:
Right of access – you have the right to request a copy of the information that we hold about you.
Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
Right to restriction of processing – where certain conditions apply you have a right to restrict the processing.
Right of portability – you have the right to have the data we hold about you transferred to another organisation.
Right to object – you have the right to object to certain types of processing such as direct marketing.
Right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling.
In the event that we refuse your request under rights of access, we will provide you with a reason as to why, which you have the right to legally challenge.
At your request we can confirm what information we hold about you and how it is processed.
You can request the following information:
Identity and the contact details of the person or organisation (Castle Clean & Management) that has determined how and why to process your data.
Contact details of the data protection officer, where applicable.
The purpose of the processing as well as the legal basis for processing.
If the processing is based on the legitimate interests of our business, or a third party such as one of our clients, information about those interests.
The categories of personal data collected, stored and processed.
Recipient(s) or categories of recipients that the data is/will be disclosed to.
How long the data will be stored.
Details of your rights to correct, erase, restrict or object to such processing.
Information about your right to withdraw consent at any time.
How to lodge a complaint with the supervisory authority (Data Protection Regulator).
Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
The source of personal data if it wasn’t collected directly from you.
Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
International Transfer of Data
We host applications and data on industry leading cloud-based servers, whose data centres are held within the UK or EU using different (multiple) servers which have been thoroughly tested for security, availability and business continuity. The infrastructure for application servers is managed and maintained by each service provider. We have undertaken a check of each service provider’s security and privacy policies and have deemed that these are suitable and sufficient to meet GDPR requirements.
We do not store personal data outside of the EEA.
Data Breaches
Any staff member who suspects that a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data might have occurred, must immediately notify the Data Controller and provide a description of the circumstances. Notification of the incident can be made via e-mail, by telephone, or in person.
Consent
This Privacy Policy complies with the regulations and requirements for user privacy under the EU General Data Protection Regulation (GDPR) outlined in Articles 12, 13 and 14, effective from 25 May 2018. Through agreeing to this Privacy Policy you are consenting to us processing your personal data for the purposes outlined above. You can withdraw consent at any time by emailing hello@castleclean.co.uk or writing to us.