Privacy Policy

Vouchee ("Vouchee", "we", "us", "our") operates the website at https://www.vouchee.co.uk and the associated platform services (together, the "Platform").

For the purposes of UK data protection law — including the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018") — Vouchee is the data controller for personal data processed through the Platform.

If you have any questions about this policy or how we handle your data, please contact us at: legal@vouchee.co.uk

We collect personal data in the following categories:

2.1 Data you give us directly

• Account registration: Full name, email address, password (stored as a bcrypt hash — we never store your plain-text password), phone number, and role (customer or cleaner).
• Cleaning requests (customers): Property details including number of bedrooms and bathrooms, preferred cleaning days and times, tasks required, hourly rate offered, and any additional notes you choose to provide.
• Cleaner profile (cleaners): Years of experience, types of cleaning experience, whether you supply your own equipment, DBS check status, right to work confirmation, public liability insurance status, and the areas of Horsham you are willing to cover.
• Application messages: Any message you write when applying for a job or communicating through our chat system.
• Payment information: We do not store card details. Payment processing is handled by GoCardless, a PCI DSS-compliant third party. We receive only limited transaction references necessary to confirm payment status.

2.2 Data we collect automatically

• Usage data: Pages visited, features used, time and duration of visits, and referring URLs.
• Device and technical data: IP address, browser type and version, operating system, and device identifiers.
• Cookies and similar technologies: Session cookies required for authentication, and analytics cookies (if you consent). See Section 9 for full details.

2.3 Data we receive from third parties

• Authentication providers: If you choose to sign in via a third-party authentication provider (e.g. Google), we receive your name and email address as permitted by that provider.
• Payment processors: GoCardless may share limited transaction status information with us.

2.4 Special category data

We do not intentionally collect special category data as defined by Article 9 UK GDPR (e.g. health, racial or ethnic origin, religious beliefs, or biometric data). If you voluntarily include such information in a free-text field, we will process it only to the extent necessary to provide the service. You should avoid including special category data unless strictly necessary.

DBS (Disclosure and Barring Service) check status is collected from cleaners as a self-declared confirmation. We do not hold copies of DBS certificates.

We process your personal data on the following lawful bases:

Where we rely on legitimate interests, we have assessed that those interests are not overridden by your rights and freedoms. You may object to processing based on legitimate interests at any time — see Section 7.

We do not sell, rent, or trade your personal data. We share data only as described below:

• Other users of the Platform: When a cleaner applies for a job, their first name and last initial, profile information, application message, and rating are shared with the customer. A customer's full address is shared with a cleaner only after the customer has accepted that cleaner's application. Customers are not identified by name to cleaners — they are referred to by their area only (e.g. "Central Horsham") until acceptance.
• Service providers (data processors): We use the following third-party processors who act on our instructions and are bound by data processing agreements:
  • Supabase Inc. — database hosting and authentication (servers located in EU)
  • Vercel Inc. — web hosting and deployment
  • Resend Inc. — transactional email delivery
  • GoCardless Ltd. — Direct Debit payment processing (FCA authorised)
  • PostHog Inc. — product analytics (if you have consented to analytics cookies)
• Legal and regulatory authorities: We may disclose personal data to law enforcement, regulators, or courts where required to do so by law, or where reasonably necessary to protect the rights, property, or safety of Vouchee, our users, or others.
• Business transfers: In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the relevant third party. We will notify affected users in advance.

Some of our service providers are based outside the United Kingdom. Where we transfer personal data outside the UK, we ensure that appropriate safeguards are in place, such as:

• UK adequacy regulations (where the recipient country has been deemed adequate by the UK government)
• International Data Transfer Agreements (IDTAs) or UK Addenda to the EU Standard Contractual Clauses
• Other appropriate safeguards permitted under UK GDPR Article 46

You may request details of the specific safeguards in place for any international transfers by contacting us at legal@vouchee.co.uk.

After the applicable retention period, data is securely deleted or anonymised. Where we are legally required to retain data for longer, we will do so but will restrict its processing.

Under UK GDPR, you have the following rights in respect of your personal data:

• Right of access (Article 15): You may request a copy of all personal data we hold about you (a "Subject Access Request").
• Right to rectification (Article 16): You may ask us to correct inaccurate or incomplete personal data.
• Right to erasure (Article 17): You may ask us to delete your personal data in certain circumstances — for example, if the data is no longer necessary for the purpose it was collected, or you withdraw consent.
• Right to restrict processing (Article 18): You may ask us to suspend processing of your data while a dispute is resolved.
• Right to data portability (Article 20): Where processing is based on contract or consent and is carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): You may object to processing based on legitimate interests or for direct marketing purposes at any time.
• Rights related to automated decision-making (Article 22): We do not make solely automated decisions with legal or similarly significant effects about you.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise any of these rights, please contact us at legal@vouchee.co.uk. We will respond within one calendar month. We may need to verify your identity before fulfilling your request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:

• Encryption of data in transit using TLS 1.2 or higher
• Encrypted storage of passwords using bcrypt hashing
• Role-based access controls limiting which staff can access personal data
• Row-level security on our database to ensure users can only access their own data
• Regular review of security practices and third-party processor agreements

No method of transmission over the internet or electronic storage is completely secure. While we take reasonable precautions, we cannot guarantee absolute security. If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO as required by law.

We use the following categories of cookies:

• Strictly necessary cookies: Required for the Platform to function — for example, session authentication cookies that keep you logged in. These cannot be disabled.
• Analytics cookies: Used to understand how users interact with the Platform (e.g. PostHog). These are only set with your consent.

You can manage your cookie preferences via the cookie banner on your first visit, or by adjusting your browser settings. Note that disabling certain cookies may affect Platform functionality.

The Platform is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data without appropriate parental consent, please contact us at legal@vouchee.co.uk and we will delete it promptly.

The Platform may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to read their privacy policies before providing any personal data to them.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by email (to the address associated with your account) and/or by displaying a prominent notice on the Platform before the change takes effect. The "Last updated" date at the top of this page will always reflect the most recent version.

Your continued use of the Platform after any update constitutes your acknowledgement of the revised policy. If you do not agree with the revised policy, you should stop using the Platform and may request deletion of your account.

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact: