Skip to content
Clean Contracts UNITED KINGDOM
Take The Scorecard
Legal

Privacy policy

Last updated: 22 April 2026

This privacy notice explains what personal data Clean Contracts UK Limited collects, why we collect it, how we use it and the rights you have over it.

1. Who we are

Data controller: Clean Contracts UK Limited (trading name of Shroomccino Ltd, in the process of renaming to Clean Contracts UK Limited via Companies House form NM01), registered in England and Wales, company number 14761725.

Contact for data matters: privacy@cleancontractsuk.co.uk

Registered office: England and Wales (full address available at Companies House, company number 14761725).

We are registered with the Information Commissioner's Office. Registration number: [TO BE INSERTED].

2. What personal data we collect

We collect the following categories of personal data:

From buyers completing the Scorecard:

  • Name and job title
  • Business name, postcode and sector
  • Contact email address
  • Responses to all Scorecard questions, including information about existing cleaning contracts, facilities size, service frequency and contract value
  • Consent status recorded at question 14 of the Scorecard (whether you agree to receive an operator introduction)
  • Timestamp of Scorecard submission

From website visitors:

  • IP address
  • Browser type and version (user agent string)
  • Pages visited and time on site
  • Referral source
  • Timestamps of visits

From operators applying to the panel:

  • Name and role of the person completing the application
  • Business name, registered address and company number
  • Contact email address and telephone number
  • Information submitted as part of the vetting process, including insurance documentation and operational capacity data

We do not collect special category personal data (as defined by UK GDPR Article 9) and we do not knowingly collect data from individuals under the age of 18. Our services are directed at businesses, not consumers.

3. Lawful basis for processing

We rely on the following lawful bases under UK GDPR Article 6:

Consent (Article 6(1)(a)): We rely on consent for sending marketing emails, including follow-up communications about our services and relevant industry content. Consent is obtained at question 14 of the Scorecard. Where consent is not given, we will not send marketing communications. You may withdraw consent at any time (see section 9).

Contract (Article 6(1)(b)): Once a buyer has given consent to receive an introduction and we have matched an operator, we process the data necessary to complete that introduction as part of the contractual arrangement. Operator data is processed on the same basis under the terms of the Master Operator Agreement.

Legitimate interests (Article 6(1)(f)): We process website visitor data (IP, user agent, timestamps) for the purposes of website security, fraud prevention and aggregate analytics. We have carried out a legitimate interests assessment and are satisfied that this processing does not override the interests or rights of individuals, given the limited nature of the data involved and the security purpose served.

4. Purposes of processing

We use the personal data we collect for the following purposes:

  • Producing and delivering your personalised Audit Report following completion of the Scorecard
  • Assessing your suitability for an operator introduction, where consent has been given
  • Making the introduction by sharing your contact details and Scorecard summary with the matched operator
  • Sending follow-up communications where you have consented to receive them
  • Vetting and onboarding operators to the panel
  • Managing our commercial relationship with operators, including invoicing for qualified introductions
  • Operating and improving the website, including analytics and security monitoring
  • Meeting our legal and regulatory obligations, including maintaining records of consent

5. Retention

We retain personal data for the following periods:

| Data type | Retention period | Reason | |---|---|---| | Consent logs (buyers who gave consent at Q14) | 6 years from date of consent | Legal obligation to demonstrate consent basis | | Scorecard data (buyers who did not consent) | 3 years from date of submission | Legitimate business records, potential dispute resolution | | Operator agreements and vetting records | 6 years from termination of the operator relationship | Legal and contractual obligation | | Website analytics data | 26 months | Standard analytics retention | | Complaint and correspondence records | 6 years from resolution | Legal obligation |

At the end of the applicable retention period, data is deleted or anonymised securely.

6. Sharing your personal data

Operators: If you complete the Scorecard and give explicit consent at question 14, your name, business name, contact email and a summary of your Scorecard responses will be shared with the matched operator. This sharing is the core purpose of our introduction service. It will not happen without your consent.

Service providers: We use third-party technology providers to operate the website, host data, send email communications, and process scorecard responses. These providers act as data processors on our behalf under written data processing agreements. They are not permitted to use your data for their own purposes. All processors are based in the United Kingdom or, where based outside the UK, operate under UK GDPR-compliant transfer mechanisms.

Legal and regulatory authorities: We may share data with regulators, law enforcement or courts where we are legally required to do so.

We do not sell, rent or trade personal data to any third party for commercial purposes.

7. International transfers

We do not intentionally transfer personal data outside the United Kingdom. Our data hosting and processing infrastructure is UK-based. Where a third-party processor has infrastructure in other countries, we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V before any transfer occurs. If this position changes, we will update this notice.

8. Cookies

We use cookies on cleancontractsuk.co.uk as follows:

Essential cookies: These are required for the website to function. They cannot be switched off. They include session management and security tokens.

Analytics cookies: We use analytics software to understand how visitors use the site. This involves collecting anonymous, aggregated data about page views, session duration and referral sources. No advertising or tracking cookies are used.

We do not use advertising cookies, retargeting cookies or cross-site tracking cookies of any kind.

A cookie banner on first visit to the site allows you to accept or decline analytics cookies. Essential cookies cannot be declined.

9. Your rights

Under UK GDPR, you have the following rights in respect of your personal data:

Right of access: You may request a copy of the personal data we hold about you.

Right to rectification: You may ask us to correct inaccurate or incomplete data.

Right to erasure: You may ask us to delete your personal data in certain circumstances, for example where the data is no longer necessary for the purpose for which it was collected.

Right to portability: Where processing is based on consent or contract, you may request your data in a structured, commonly used, machine-readable format.

Right to object: You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.

Right to restrict processing: You may ask us to restrict processing of your data in certain circumstances, for example while a complaint is being investigated.

Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please write to us at privacy@cleancontractsuk.co.uk. We will respond within one calendar month of receiving a valid request.

10. Right to complain to the ICO

If you are unhappy with how we have handled your personal data, you have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters.

ICO website: https://ico.org.uk

ICO helpline: 0303 123 1113

We would always prefer to resolve any concern directly before you escalate to the ICO. Please contact us first at privacy@cleancontractsuk.co.uk and we will do our best to address your concern promptly.

11. Security

We take the security of personal data seriously. Our technical and organisational measures include:

  • Encryption of personal data at rest and in transit using industry-standard protocols
  • Access controls that restrict data access to named personnel on a need-to-know basis
  • Regular review of data access logs
  • Secure disposal of data at the end of retention periods
  • Contractual security obligations imposed on all data processors

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, in accordance with UK GDPR Article 33. Where the breach poses a high risk to individuals, we will also notify affected individuals without undue delay.

12. Changes to this notice

We review this Privacy Policy at least annually and whenever there is a material change to our data practices. The current version will always be published at https://cleancontractsuk.co.uk/privacy/ with the date it was last updated.

Related policies

Last updated: 22 April 2026
Related policies