KGW CLEANERS — PRIVACY POLICY (UK GDPR)

Last updated: 17 February 2026

This Privacy Policy explains how Keystone Group Wash & Wipe Cleaners Ltd (trading as KGW Cleaners) collects and uses personal data when you:

  • visit our website;
  • contact us (including by phone or WhatsApp);
  • request a quote;
  • book cleaning services; or
  • receive our cleaning services.

This Policy is intended to provide the “privacy information” required by the UK GDPR, the Data Protection Act 2018, and (where applicable) the Privacy and Electronic Communications Regulations (PECR). It covers personal data you give us directly and, where applicable, data we receive from third parties (for example, a property management company arranging access).

1) Who we are (Data Controller)

Keystone Group Wash & Wipe Cleaners Ltd is the data controller for the personal data described in this Policy.

  • Registered office: 2 Sherwood Close, Dewsbury, Leeds WF13 4PQ
  • Company number: 16795905 (England and Wales)
  • Email: contact@kgwcleaners.com
  • Data protection contact: contact@kgwcleaners.com

If you contact us by WhatsApp, please note that WhatsApp processes certain information under its own terms and policies. This is separate from how we handle your data as a cleaning service provider.

2) Data protection principles

We process personal data in accordance with the UK GDPR principles, including lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability.

3) What personal data we collect

We may collect and use the following categories of personal data (depending on how you interact with us):

  1. A) Identity and contact data
  • Name
  • Email address
  • Phone number
  • Address/service location and postcode
  1. B) Booking and service data
  • Booking dates/times, service type, scope and preferences
  • Access details needed to perform the service (e.g., entry instructions, key collection instructions, alarm set/unset times if you choose to provide them)
  • Notes you provide about the property relevant to the clean (e.g., surfaces, pets, access constraints)
  1. C) Communications data
  • Emails and messages you send us
  • Phone call logs and notes, and voicemail messages you leave
    (We do not routinely record calls. If we ever record a call, we will tell you at the start of the call.)
  • WhatsApp messages and attachments you send (e.g., photos for quoting)
  1. D) Payment and invoice data
  • Invoice history, amounts, payment status
  • Reference information needed to reconcile payments (e.g., bank transfer references)
  • Where card payments are used, we do not intentionally store full card details on our systems; payment providers/banks typically process these details.
  1. E) Website usage and technical data
  • IP address, device/browser information, pages visited, referral sources, and similar usage information
  • Cookie identifiers and analytics data only where you have consented (see section 9)
  1. F) Preference data
  • Your communication preferences (e.g., marketing opt-out status)

4) Special category data and criminal offence data

We do not need special category personal data (such as health information) to provide cleaning services and we ask you not to send it to us.

If you choose to share sensitive information (for example, vulnerability/access needs), we will:

  • limit use to what is necessary to manage your booking and provide services safely;
  • limit access to those who need to know; and
  • apply additional safeguards where appropriate.

Special category data has additional legal protections. If we ever process it, we will do so only where an appropriate Article 9 condition (and any required UK law condition/safeguards) applies.

We do not request criminal offence data and do not require it for our services. This category is subject to stricter rules under UK GDPR Article 10.

5) Where we get your data from

We obtain personal data from:

  • you directly (website forms, email, phone, WhatsApp, in person at the service location);
  • observation during service delivery (e.g., access notes required to complete a visit); and
  • third parties where relevant (e.g., a property manager/landlord providing access instructions for a site they control).

If we receive personal data about you from someone else, we will provide the required privacy information within the UK GDPR timescales (generally within one month, and sooner in some situations).

6) How we use your data and our lawful bases

UK GDPR requires a lawful basis for each use of personal data. The lawful bases are set out in Article 6, and at least one must apply whenever we process personal data.

  1. A) Providing quotes, taking bookings, and delivering cleaning services

We use: identity/contact, booking/service, communications, and (where needed) access details to respond to enquiries, provide quotes, schedule/confirm services, deliver services, and provide customer support.
Lawful basis: Contract and steps prior to entering a contract (Article 6(1)(b)).

  1. B) Managing payments, invoices, and accounts

We use: identity/contact and payment/invoice data to issue invoices/receipts, reconcile payments, handle queries, and maintain accounting/tax records.
Lawful basis: Legal obligation (Article 6(1)(c)) and/or contract (Article 6(1)(b)), depending on the processing.

  1. C) Communicating with you about your booking or service

We use: identity/contact and communications data for confirmations, reminders, access coordination (including WhatsApp if you choose), rescheduling/cancellations, and issue resolution.
Lawful basis: Contract/steps prior to contract (Article 6(1)(b)). Where appropriate for operational communications, we may also rely on legitimate interests in efficient customer communications (Article 6(1)(f)), balanced against your rights.

  1. D) Running our business and improving operations

We use: booking/service data, communications data, and operational notes to keep records, improve service quality/consistency, train staff (using minimal data), and prevent disputes/maintain standards.
Lawful basis: Legitimate interests (Article 6(1)(f)).

  1. E) Handling complaints, claims, incidents, or insurance matters

We use: identity/contact, booking/service, communications, and (where relevant) payment/invoice data to investigate complaints, keep incident records, and liaise with insurers/professional advisers.
Lawful basis: Legitimate interests (Article 6(1)(f)) and, where applicable, processing necessary for legal claims.

  1. F) Website security and performance

We use: technical data and essential cookies to operate the site securely, protect against fraud/abuse, and maintain integrity/availability.
Lawful basis: Legitimate interests in operating a secure website and business.
For non-essential cookies/analytics, we rely on consent (see section 9).

  1. G) Marketing (only where permitted)

We may send updates or offers about our services only where permitted by law.

Depending on the channel and your relationship with us, our lawful basis may be:

  • Consent; or
  • Soft opt-in under PECR where all requirements are met (including: details obtained during a sale/negotiation, marketing our similar services, opt-out offered at collection and in every message).

Your choices: You can opt out at any time. If you object to direct marketing, we will stop using your data for that purpose.

Phone marketing: If we conduct marketing calls, we will comply with PECR rules including TPS/CTPS restrictions where applicable.

7) Whether you must provide personal data

You are not legally required to provide personal data to us. However, if you do not provide personal data we reasonably need to provide a quote, confirm a booking, or deliver services (for example, your name, contact details, and service address), we may not be able to respond, enter into a contract, or provide the services.

If you provide access information (such as entry instructions), it should be limited to what is necessary for us to carry out the service.

8) Who we share your data with

We share personal data only where necessary for the purposes described above. Typical recipients include:

  • our cleaners/staff and approved subcontractors (only what they need to carry out the service);
  • accountants/bookkeepers for accounts and tax;
  • banks, payment providers, and our bookkeeping systems (where relevant to payments and accounting);
  • insurers and professional advisers where a claim/dispute arises;
  • IT and website service providers (e.g., hosting, email services, security/spam protection);
  • messaging providers (e.g., WhatsApp if you contact us via WhatsApp);
  • HMRC and other authorities/regulators where we are required to do so by law.

Where service providers act as our processors, we put written terms in place requiring appropriate safeguards and controlling how they use personal data.

We do not sell your personal data.

Business changes: If we sell or reorganise our business, personal data may be shared with relevant parties (e.g., buyers/professional advisers) where necessary, under appropriate protections.

9) International transfers

Some suppliers (for example, communications or cloud service providers) may process personal data outside the United Kingdom.

Where a transfer is a “restricted transfer” under UK GDPR and is not covered by UK adequacy regulations, we will use appropriate safeguards (such as the UK IDTA or the UK Addendum to EU SCCs) and carry out any required transfer risk assessment. You can contact us for more information about safeguards used (and how to obtain a copy where applicable).

10) Cookies and analytics

We use cookies and similar technologies.

  • Essential cookies may be used where necessary to make the site work securely and properly.
  • Non-essential cookies (e.g., analytics/marketing cookies) will be used only if you consent via our cookie controls.

Consent must involve a clear positive action, and users should have an easy way to enable/disable non-essential cookies.

More details are provided in our Cookie Policy.

11) How long we keep your data (retention)

We keep personal data only as long as necessary for the purposes described in this Policy.

Typical retention periods (which may vary depending on circumstances and legal requirements):

  • Enquiries/quotes not converted to bookings: up to 12 months.
  • Customer booking/service records: up to 6 years after the last service (business records and potential claims).
  • Invoices and accounting records: typically up to 6 years.
  • Complaint/claim records: typically up to 6 years after resolution.
  • Marketing preferences: until you opt out / withdraw consent.
  • Website security logs: retained for as long as reasonably necessary for security and fraud prevention.

We may keep data longer if required by law or if needed to establish, exercise, or defend legal claims.

12) Your rights

You have rights under UK GDPR, including:

  • the right to be informed (this Policy);
  • access;
  • rectification;
  • erasure (in certain circumstances);
  • restriction (in certain circumstances);
  • data portability (where applicable);
  • objection to processing based on legitimate interests; and
  • the right to object to direct marketing at any time.

Withdrawing consent: Where we rely on consent, you can withdraw it at any time. Withdrawal does not affect processing before withdrawal.

How to exercise your rights: Email contact@kgwcleaners.com.

We may need to verify your identity before responding, and we will only request verification that is reasonable and proportionate. We respond without undue delay and typically within one month (extension possible for complex requests, and we will tell you if so).

13) Automated decision-making and profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects for you.

14) Complaints

If you have concerns, please contact us first at contact@kgwcleaners.com so we can try to resolve the issue.

You also have the right to complain to the Information Commissioner’s Office (ICO).

15) Security and personal data breaches

We use appropriate technical and organisational measures to protect personal data, including limiting access to those who need it and using reputable service providers with security controls. UK GDPR requires a level of security appropriate to risk (Article 32).

If a personal data breach is likely to result in a risk to individuals’ rights and freedoms, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it (unless unlikely to result in risk). If a breach is likely to result in a high risk, we will also inform affected individuals without undue delay, as required.

16) Children

Our services are not directed at children, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us.

17) Changes to this Privacy Policy

We may update this Policy from time to time. The latest version will be posted on our website with the “Last updated” date.