Water Direct Portal — Privacy Notice
This Privacy Notice explains how Water Direct Ltd collects, uses, and protects personal data through the use of the Water Direct Web Portal and accompanying Mobile App for Google Android and Apple.
We are committed to protecting the privacy of users and operating in accordance with the GDPR, the UK GDPR the Data Protection Act 2018 and any other relevant laws and guidance Portal applicable to us.
Where your use is as a result of your relationship with our customer we may provide our services as a processor to that company. In which case, the use of your data is in accordance with their privacy notice which can be found on their website. We will process your data in accordance with our or their legitimate interests in accordance with our contract with them.
Index
1. Data We Collect
We collect the names and phone numbers of registered users and drivers, in order to access the service. Location data is collected for drivers during active deliveries. Usage data such as logins, route completion, and status updates is also recorded. We also collect analytics data via Google Analytics, Microsoft Clarity, and Mixpanel to improve system performance.
The personal data we collect from you, either directly or indirectly, will depend on how you interact with us and with our Portal. We collect personal data about you from the following different sources:
Information that you provide directly
We collect personal data directly from you when you choose to provide us with this information online and through your other interactions with us. Certain parts of our Portal ask you to provide personal data when you engage with the following services: Account creation and profile.
Information that we collect indirectly
We collect your personal data indirectly, including through automated means from your device when you use our Portal. Some of the information we collect indirectly is captured using cookies and other tracking technologies, as explained further in the "Cookies and similar tracking technology" section below.
Automated decision making is used via algorithms to organize addresses to group deliveries for logistical and operational reasons but you will not be subjected to decisions involving legal or similar consequences
Information from third parties
We also may collect your personal data from third party sources, i.e. our service providers that provide operational assistance, email, marketing and analytics services. Information received from third parties will be checked to ensure that the third party either has your consent or are otherwise legally permitted or required to disclose your personal data to us.
In general, we will use the personal data we collect from you only for the purposes described in this Privacy Notice or for purposes that we explain to you at the time we collect your personal data. However, we will also use your personal data for other purposes that are compatible with the purposes we have disclosed to you (such as archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes) if and where this is permitted by applicable data protection laws.
The table below describes the categories of personal data we collect from and about you through our online services and activities on our Portal.
| Personal Data Description | Source |
|---|---|
| Identity and Contact Data such as your name, email address and password and telephone number. |
|
| Account Data such as your login information (email and password) and profile information (contact details including your name, surname, postcode, phone). |
|
| Communications Data such as your feedback on our products and services or the performance of our Portal and other communications with us (including when you interact with our customer service agents offline), any queries you raise, competition and survey entries, chat, email or call history on the Portal or with third party service providers. This will include information as to how you contact customer services and the channel of communication that you use or any information that you send to us. We will do this if you complain about the performance of our Portal and send us screenshots). |
|
| Device Data collected from (or as a result of your using) your device (including by means of cookies and similar tracking technology), including your IP address, your ISP, and the browser you use to visit our Portal platform. |
|
| Portal Usage Data such as activity and Portal interaction, information that we capture using cookies and similar technologies (see the "Cookies and similar tracking technology" section). This will include page views and searches, log-in information, clicks, operating system, information about content viewed, watched or downloaded for offline access, length of visits to certain pages, length of Portal use, purchase history and other functional information on Portal performance (for example, application version information, diagnostics, and crash logs). |
|
| Location Data If you access our services on a mobile app, we will collect location tracking data for operational purposes and georeferenced proof of deliveries for compliance and service auditing. This may be collected using WiFi access points / and/or GPS from which we can identify your precise geographic location. |
|
| Uploaded Content such as any personal data in photographs / videos or audio recordings that you upload onto our Portal, and requests for assistance from customer service. |
|
We do not collect any sensitive personal data about you, such as health-related information or information about your race or ethnicity, or sexual orientation.
2. Legal Basis for Processing
Depending on our purpose for collecting your information, we rely on one of the following legal bases:
- Consent -- in certain circumstances, we may ask for your consent before we collect, use, or disclose your personal data, in which case you can voluntarily choose to give or deny your consent without any negative consequences to you;
- Legitimate interests -- we will use or disclose your personal data for the legitimate interests of either Water Direct or a third party, but only when we are confident that your privacy rights will remain appropriately protected. If we rely on our (or a third party's) legitimate interests, these interests will normally be to: operate, provide and improve our business, including our Portal; communicate with you and respond to your questions; improve our Portal or use the insights to improve or develop marketing activities and promote our products and services; detect or prevent illegal activities (for example, fraud); and/or to manage the security of our IT infrastructure, and the safety and security of our employees, customers, vendors and visitors. Where we require your data to pursue our legitimate interests or the legitimate interests of a third party, it will be in a way which is reasonable for you to expect as part of the running of our business and which does not materially affect your rights and freedoms. We have identified below what our legitimate interests are.
- Legal obligation -- there may be instances where we must process and retain your personal data to comply with laws or to fulfil certain legal obligations.
| Purpose/Activity | Type of personal data | Lawful basis for processing including basis of legitimate interest |
|---|---|---|
| Register your account on our Portal, to manage and administer your account. | Identity and Contact Data Account Data Transaction Data Communication Data Device Data Location Data |
|
| Create and / or respond to service requests for deliveries of our services. | Identity and Contact Data Account Data Communication Data Transaction Data Device Data Location Data |
|
| Respond to your communications regarding our products and services, send you service updates, confirmations, invoices, technical notices, updates, security alerts, support and administrator messages, respond to your enquiries, requests or complaints. | Identity and Contact Data Account Data Transaction Data Communication Data Uploaded Content Device Data Portal Usage Data |
|
| Reviewing communications with you for customer support and quality assurance and training purposes, and related recordkeeping. | Identity and Contact Data Account Data Transaction Data Communications Data Uploaded Content Device Data Portal Usage Data |
|
| Keep our business, including our Portal, our employees, customers, and vendors secure and address threats to their safety or the safety of others; to detect and prevent online fraud. For example, online we use malware and spyware monitoring tools to detect suspicious activity and algorithms to detect unauthorised access. | Identity and Contact Data Account Data Transaction Data Device Data Portal Usage Data Communications Data Location Data |
|
| Manage compliance with our terms of service, and related internal reporting. | Identity and Contact Data Account Data Communications Data Transaction Data |
|
| To administer and maintain our Portal and our IT systems (including monitoring, troubleshooting, data analysis, testing, system maintenance, repair and support, reporting and hosting of data). | Identity and Contact Data Account Data Device Data Portal Usage Data |
|
| Manage our use of tracking technologies such as cookies and analyse collected data to learn about our Portal to improve our Portal, and to develop new products and services. This includes website analytics, identifying browsing trends and patterns and evaluating this information on an aggregated, group(s) basis (Marketing Data) and individual basis (Account Data, Device Data, Location Data and Portal Usage Data). | Account Data Device Data Portal Usage Data Location Data Account Data Advertising and Marketing Data Communications Data |
|
| Analyse data including metrics related to transactions and behaviour (online and offline), to assess trends and the effectiveness of our marketing campaigns, to help us understand your needs and provide you with better service. | Account Data Transaction Data Device Data Portal Usage Data Communications Data Marketing Data |
|
| Contact current and prospective customers (including Portal visitors) about our products and services we think may be of interest, including our newsletter and other electronic communications. | Account Data Portal Usage Data Marketing Data Communication Data Uploaded Content Data |
|
| Personalise, target, and deliver advertising for our products and services on third party websites, Portals, and other online services (including to identify audiences and individuals like you to better tailor our marketing campaigns and communications) and measure the effectiveness of our campaigns and adjust our methods. | Account Data Marketing Data Portal Usage Data Social media Contact Device Data |
|
| Comply with legal and regulatory obligations to which we are subject, including our obligations to respond to your requests under data protection law. | Identity and Contact Data Account Data Transaction Data Portal Usage Data Location Data Communication Data Uploaded Content Data |
|
| Protect our legal rights (including where necessary, to share information with law enforcement and others), for example to defend claims against us and to conduct litigation to defend our interests. | Identity and Contact Data Account Data Transaction Data Location Data CCTV Data Portal Usage Data Communication Data |
|
3. Who we share your data with
We share your personal data with the following categories of recipients:
- third party service providers and partners who provide data processing services to us as necessary to provide you with our services (to support the delivery of, provide functionality on, or help to enhance the security of our Portal, or who otherwise process personal data for purposes described in this Privacy Notice.
- any competent law enforcement body, regulatory, government agency, court or other third party (such as our professional advisers) where we believe disclosure is necessary (i) as a matter of Applicable law or regulation, (ii) to exercise, establish or defend our legal rights or so a third party can defend theirs, or (iii) to protect your vital interests or those of any other person;
- a buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal data only for the purposes disclosed in this Privacy Notice; or
- any other person with your consent to the disclosure (obtained separately from any contract between us).
4. Access Controls and Security Measures
We use appropriate technical and organisational measures to protect the personal data that we collect and process about you. The measures are designed to provide a level of security appropriate to the risk of processing
Access to personal data is role-based and restricted to authorised personnel only. All access is logged and periodically reviewed. Data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Regular penetration testing is conducted to identify potential vulnerabilities.
5. Data Retention
We retain the personal data we collect from you where we have an ongoing legitimate need to do so (for example, to provide you with a something you have requested or to comply with Applicable legal, tax or accounting requirements).
In certain circumstances, we will need to keep your information for legal reasons after our contractual relationship has ended or your account has been deleted. The specific retention periods depend on the nature of the information and why it is collected and processed and the nature of the legal requirement.
When we have no ongoing legitimate need or legal reason to process your personal data, we will either delete or anonymise it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.
6. Your Rights
Individuals located in the UK and EEA have the following data protection rights. To exercise any of them see specific instructions below or contact us using the email: support@water-direct.co.uk.
- You may access, correct, update or request deletion of your personal data.
- You can object to processing of your personal data, ask us to restrict processing of your personal data.
- You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the "unsubscribe" or "opt-out" link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), please contact us using the contact details: support@water-direct.co.uk. If you choose to opt out of marketing communications, we will still send you non-promotional emails, such as emails about your account or our ongoing business relations.
- If we have collected and processed your personal data with your consent, then you can withdraw your consent at any, please contact us using the contact details: support@water-direct.co.uk. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a supervisory authority about our collection and use of your personal data. For more information, please contact your local supervisory authority. Contact details for supervisory authorities in Europe are available here and for the UK here. Certain supervisory authorities will require that you exhaust our own internal complaints process before looking into your complaint.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with Applicable data protection laws
7. International Data Transfers
All personal data is stored in the EU (Frankfurt) on Render.com and AWS infrastructure. If any data is transferred outside the UK/EU, it will be protected by Standard Contractual Clauses (SCCs) or equivalent safeguards.
8. Cookies and Analytics
The portal uses cookies and tracking technologies to support system functionality and analytics. These are used under legitimate interest for performance measurement. You may disable non-essential cookies in your browser settings.
9. Use by Children
This platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children.
10. Data Protection Impact Assessment
A formal Data Protection Impact Assessment (DPIA) has been completed for the PSR Portal and is available upon request for client due diligence.
11. Updates and Contact
We may update this Privacy Policy periodically. Users will be notified of any material changes. For privacy-related inquiries, please contact support@water-direct.co.uk.