Privacy Policy
This Privacy Policy and Data Protection Agreement (the Policy) explains how LUSTRIA (referred to as we, us, our) collects, uses, discloses, stores and protects personal data in connection with our website, booking platform, services and business operations. This Policy is intended to be read together with our Terms and Conditions and other customer agreements. By using our website, booking a service or otherwise providing personal data to us, you acknowledge that you have read and accepted this Policy.
1. Data Controller and Contact Details
Data Controller: LUSTRIA Contact Email: info@lustria.org.uk
All enquiries, data subject requests and data breach notifications should be sent to the contact details above.
2. Scope and Purpose
This Policy applies to all personal data processed by us in the UK and internationally in connection with: website visitors; customers and prospective customers; booking and service delivery; subscription management; suppliers and contractors; job applicants and employees; marketing; and any other business activity. The purposes of processing include service provision, customer support, billing, fraud prevention, legal compliance, marketing (with consent), analytics and business improvement.
3. Categories of Personal Data Collected
We collect the following categories of personal data:
Identity Data: name, title, date of birth where provided.
Contact Data: postal address, email address, telephone numbers.
Property Data: service address, access instructions, property notes, tenancy status.
Booking Data: service type, appointment dates and times, technician notes, before and after photos.
Payment Data: payment transaction records; card data processed by Stripe; we do not store full card numbers.
Technical Data: IP address, device identifiers, browser and operating system, cookies and analytics.
Communications Data: emails, SMS, call recordings where consented or permitted.
Marketing Preferences: opt‑in status and communication preferences.
Third Party Data: data received from payment processors, advertising platforms, or authorised agents.
We do not intentionally collect special category data (sensitive personal data) except where voluntarily provided and only with explicit consent and additional safeguards.
4. Lawful Bases for Processing
We rely on the following lawful bases under UK GDPR:
Contractual necessity to perform obligations under a contract with you (booking, service delivery, billing).
Legal obligation to comply with statutory duties (tax, accounting, regulatory reporting).
Legitimate interests for fraud prevention, service improvement, internal record keeping and direct marketing to existing customers where appropriate. We document and balance these interests against your rights.
Consent where required for marketing communications, cookies beyond strictly necessary, and any processing of special category data.
A detailed lawful basis mapping for each processing activity is maintained in our internal Records of Processing Activities.
5. How We Use Personal Data
We use personal data to:
Process and manage bookings and subscriptions.
Provide cleaning, sanitisation and related services.
Communicate confirmations, reminders and service updates.
Process payments and refunds.
Manage customer accounts and service history.
Provide customer support and handle complaints.
Conduct quality control, training and internal audits.
Send marketing communications where consented or permitted.
Detect, prevent and investigate fraud and other unlawful activity.
Comply with legal and regulatory obligations.
Perform analytics and improve our website and services.
We do not use personal data for automated decision making that produces legal or similarly significant effects without explicit notice and lawful basis.
6. Sharing and Disclosure
We may disclose personal data to:
Service providers and processors engaged to perform functions on our behalf such as payment processors (Stripe), email and SMS providers, IT hosting and analytics providers, and scheduling platforms.
Technicians and subcontractors who require data to perform services at your property.
Professional advisers including legal, tax and accounting advisors.
Regulators and law enforcement where required by law or to protect our legal rights.
Third parties in connection with a business transfer such as a sale, merger or reorganisation; in such cases we will require the transferee to respect the privacy rights described in this Policy.
All processors are contractually required to implement appropriate technical and organisational measures and to process data only on our documented instructions.
7. International Transfers
Personal data may be transferred outside the UK. Where transfers occur to countries without an adequacy decision, we implement appropriate safeguards such as Standard Contractual Clauses, binding corporate rules, or other lawful transfer mechanisms. Details of safeguards are available on request.
8. Data Retention and Deletion
We retain personal data only for as long as necessary for the purposes set out in this Policy and to meet legal, tax and accounting obligations. Typical retention periods include:
Booking and service records: minimum 6 years for tax and warranty purposes.
Payment records: 6 years.
Marketing consents: until withdrawn.
Website analytics: up to 24 months unless anonymised.
Job applicant data: 6 months after recruitment decision unless consented otherwise.
When retention is no longer required we securely delete, destroy or anonymise personal data. Backup copies are retained in accordance with our backup and disaster recovery policy and are securely deleted in due course.
9. Security Measures
We implement appropriate technical and organisational measures to protect personal data, including but not limited to:
Encryption of data in transit using TLS and encryption at rest where feasible.
Access controls and role based permissions for staff and contractors.
Multi factor authentication for administrative access.
Network security including firewalls, intrusion detection and regular vulnerability scanning.
Logging and monitoring of access and system events.
Secure development practices and regular security testing.
Staff training on data protection and confidentiality.
Processor due diligence and contractual security obligations.
Despite these measures, no system is infallible. We maintain an incident response plan and will notify affected data subjects and the ICO where required by law.
10. Data Breach Response
We maintain a documented Data Breach Response Plan. In the event of a personal data breach we will:
Contain and assess the breach.
Notify the ICO within 72 hours where required.
Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
Provide details of the breach, likely consequences and mitigation steps.
Preserve evidence and cooperate with regulatory authorities.
All breaches are logged and reviewed to prevent recurrence.
11. Data Subject Rights and How to Exercise Them
You have the following rights under UK GDPR:
Right of access to a copy of your personal data.
Right to rectification of inaccurate or incomplete data.
Right to erasure where processing is no longer necessary or lawful.
Right to restrict processing in certain circumstances.
Right to object to processing based on legitimate interests or direct marketing.
Right to data portability where processing is based on consent or contract and carried out by automated means.
Right to withdraw consent at any time for processing based on consent.
Right to lodge a complaint with the Information Commissioner’s Office.
To exercise any right, contact us at the details in Section 1. We will verify your identity before actioning requests. We respond to valid requests without undue delay and in any event within one month, extendable by two further months for complex requests with notice. Where requests are manifestly unfounded or excessive we may charge a reasonable fee or refuse to act.
12. Verification Procedure for Requests
To protect privacy we require reasonable proof of identity before fulfilling requests. Acceptable verification may include a copy of a government issued ID and a recent utility bill. We will only request the minimum information necessary to verify identity.
13. Cookies and Tracking
We use cookies and similar technologies to operate the website and improve user experience. Cookies are categorised as:
Strictly necessary cookies required for site operation.
Performance and analytics cookies to measure site usage.
Functional cookies to remember preferences.
Advertising cookies for personalised marketing.
A cookie banner and cookie settings page are provided. You may withdraw consent for non‑essential cookies at any time via the cookie settings or your browser.
14. Marketing Communications
We will only send marketing communications where you have consented or where we have a legitimate interest and you are an existing customer. Every marketing message contains an easy unsubscribe mechanism. You may also opt out by contacting us.
15. Children and Vulnerable Data Subjects
Our services are not directed at children under 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate consent we will delete it promptly.
16. Automated Decision Making and Profiling
We do not carry out automated decision making or profiling that produces legal or similarly significant effects without explicit notice and lawful basis. Where profiling is used for legitimate business purposes we will provide meaningful information about the logic involved and the significance and envisaged consequences.
17. Processor Agreements and Subprocessors
We maintain written contracts with all processors that include:
Purpose and duration of processing.
Nature of the processing and categories of data.
Obligations to implement appropriate security measures.
Prohibition on engaging subprocessors without prior notice and contractual flow‑down.
Assistance with data subject requests and breach notifications.
A current list of subprocessors is available on request.
18. Data Protection Impact Assessments and Privacy by Design
We conduct Data Protection Impact Assessments for high-risk processing activities and implement Data Protection by Design and Default in new projects. DPIA outcomes and mitigation measures are documented and reviewed.
19. Record Keeping and Audit Rights
We maintain Records of Processing Activities and are able to demonstrate compliance. We reserve the right to audit processors and subcontractors and require them to provide evidence of compliance.
20. Liability and Indemnity
We process personal data in accordance with this Policy and applicable law. To the extent permitted by law, our liability for data protection breaches is limited to direct losses reasonably foreseeable and caused by our negligence. We are not liable for indirect, consequential or punitive damages. Where required, indemnities and liability caps are set out in our commercial agreements.
21. Changes to This Policy
We may update this Policy to reflect changes in law, technology or business practice. The latest version will be published on our website with the effective date. Material changes will be communicated to customers where required.
22. Complaints and Supervisory Authority
If you are unhappy with our handling of your personal data you may contact us using the details in Section 1. You also have the right to lodge a complaint with the Information Commissioner’s Office at https://ico.org.uk/
23. Contact and Data Protection Officer
For data protection enquiries, data subject requests or to request a copy of our Records of Processing Activities or subprocessors list, contact info@lustria.org.uk
If we appoint a Data Protection Officer their contact details will be published here.
