Privacy Policy

Last updated: 28 May 2026

1. Who We Are

TYDFY LTD (“we”, “us”, “our”) is the data controller for personal data collected through this platform. We operate a managed two-sided residential cleaning marketplace connecting customers with vetted cleaning professionals in the UK.

TYDFY LTD is a company registered in England and Wales, company number 17269761. Registered office: 128 City Road, London EC1V 2NX, United Kingdom. ICO registration number: ZC171837.

If you have any privacy questions, please contact us at privacy@tydfy.co.uk.

2. What Data We Collect

Data Category Examples Who it applies to
Identity data Name, email address All users
Contact data Phone number (encrypted at rest) All users
Address data Service address, postcode (address encrypted; postcode plain text) Customers
Financial data Payment amounts, booking totals (processed by Stripe; amounts retained) All users
Bank details Account number, sort code (encrypted at rest; used for payout) Cleaners
Identity documents DBS certificate, photo ID, right to work, proof of address Cleaners
Usage data Booking history, availability settings, quality scores All users

3. Lawful Basis for Processing

  • Contract performance (UK GDPR Article 6(1)(b)): We process your name, email, phone, address, and payment details to deliver the cleaning service you have booked.
  • Legitimate interests (UK GDPR Article 6(1)(f)): We process usage data and quality scores to operate the platform safely, match cleaners to bookings, and detect fraud.
  • Legal obligation (UK GDPR Article 6(1)(c)): We retain financial transaction records for 7 years under the Taxes Management Act 1970 (HMRC requirement).
  • Consent (UK GDPR Article 6(1)(a)): We obtain explicit consent from cleaners at registration for processing their identity documents and bank account details.

4. Data Retention

Data Type Retention Period Legal Basis
Financial records (booking amounts, payments) 7 years from the transaction date Taxes Management Act 1970 (HMRC legal obligation)
DBS certificate data Maximum 6 months — certificate content deleted; reference number retained DBS Code of Practice
Identity documents (photo ID, right to work) Active account + 12 months after account closure Contract performance + legitimate interests
Account and profile data Active account + 12 months after closure or erasure request approval Contract performance
Audit logs 7 years (immutable — required for regulatory accountability) Legal obligation + legitimate interests

5. Third-Party Data Processors

  • Stripe Inc. — Payment processing. Card data is processed entirely by Stripe and never touches our servers. Stripe is PCI-DSS compliant. Stripe Privacy Policy.
  • SendGrid (Twilio Inc.) — Transactional email delivery (booking confirmations, notifications). Emails are processed in the EU. SendGrid Privacy Policy.
  • Microsoft Azure (UK South) — Cloud infrastructure. Identity documents are stored in Azure Blob Storage (UK South region only). Data does not leave the UK. Microsoft Privacy Statement.

6. Your Rights Under UK GDPR

  • Right of Access (Article 15): Request a copy of all personal data we hold about you.
  • Right to Erasure (Article 17): Request deletion of your personal data, subject to legal hold obligations.
  • Right to Restriction (Article 18): Request that we restrict processing of your data in certain circumstances.
  • Right to Portability (Article 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Article 21): Object to processing based on legitimate interests.
Note on financial records: If you request account deletion, financial transaction amounts (booking totals, payments) are retained for 7 years under the Taxes Management Act 1970. Your personal details are removed from these records; only the financial amounts are kept. This exception is a legal obligation and cannot be waived.

7. Exercising Your Rights

To exercise any of the above rights:

  • Authenticated users: Visit My Profile & Data Rights in your dashboard to export your data or submit an erasure request.
  • Privacy complaints: Submit a complaint at /privacy/complaint. We will acknowledge your complaint within 30 calendar days (DUAA s.164A requirement).
  • Email: Contact us at privacy@tydfy.co.uk. We will respond within 30 days.

8. Complaints to the ICO

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Make a complaint to the ICO

ICO helpline: 0303 123 1113 (Monday to Friday, 9am to 4:30pm).