Who we are
Bubble Fresh (Bubblefresh Limited, company number 12691029, registered office: 6 Carnegie Street, Rushden, Northamptonshire, NN10 9SN) is a specialist cleaning and clearance company. We provide services for vulnerable adults, families, and local council partners across Northamptonshire, Milton Keynes, Bedford, and Norfolk. This policy explains how we collect, use, and protect your personal information in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025.
Data protection officer
Our Data Protection Officer (DPO) is Lance James, who also serves as Director. We acknowledge the dual role and ensure DPO independence in accordance with Article 38(3) of UK GDPR: the DPO acts independently on all data protection matters, reports directly without interference on data protection issues, and cannot be overruled on data protection compliance decisions by commercial considerations. If you have any questions about how we handle your data, contact our DPO at pmsermvuidgwvhsnaobjcsfjyewzqz@bbkluqdjbxdwbypjlhswekqdfwourlfoeacmstvxhwzr.hancwbboylj.ixzucjtkmfi, by phone on 01933 213045, via Relay UK on 18001 then 01933 213045, or by post at Bubblefresh Limited, 6 Carnegie Street, Rushden, Northamptonshire, NN10 9SN.
What data we collect
We may collect your name, phone number, email address, and postal address when you contact us or make an enquiry. If you are referred to us by a council or professional body, we may receive your name, address, details of care and support needs, property condition, risk factors, and referring professional's details. Where referrals include health or social care information, this is special category data under Article 9 of UK GDPR. We process this data on the basis of substantial public interest (Data Protection Act 2018, Schedule 1, Part 2) or where necessary for the provision of health or social care. For employees, we process criminal offence data (Disclosure and Barring Service (DBS) check results) under Article 10 of UK GDPR, relying on the Data Protection Act 2018 Schedule 1 Part 1 paragraph 1 (employment purposes). We maintain an Appropriate Policy Document as required by Schedule 1 Part 4 of the Data Protection Act 2018, which is available on request. During service delivery, we may take photographs of property condition for record-keeping, reporting to the referring council, or quality assurance purposes. These photographs will not include identifiable individuals unless necessary for safeguarding. We also collect technical data such as IP address, browser type, and pages visited when you use our website. Where body-worn cameras are used during service delivery, video and audio footage is recorded in accordance with our Body-Worn Camera Policy. Providing your personal data for a direct enquiry is voluntary; if you choose not to, we will be unable to respond to your enquiry or provide our services. For council referrals, the provision of data is necessary to deliver the referred service. We do not knowingly collect personal data from children. Where a council referral includes information about children in a household, we process it only as necessary for the referred service and in accordance with the council's instructions as data controller.
How we use your data
We use your personal data to respond to enquiries and provide our services, to communicate with you about bookings and service delivery, to fulfil our obligations under council contracts and referral agreements, for safeguarding purposes where there is a concern about a person's welfare (see our Safeguarding Policy), to vet and train our staff so they can work safely with vulnerable adults, to monitor quality and compliance with our contractual and legal obligations, and to improve our website and services. We will never sell your personal data to third parties.
Legal basis for processing
We process your data on the basis of legitimate interest under Article 6(1)(f) (responding to enquiries and delivering services), contractual necessity under Article 6(1)(b) (fulfilling service agreements and council contracts), legal obligation under Article 6(1)(c) (safeguarding duties, health and safety requirements, RIDDOR reporting), vital interest under Article 6(1)(d) (in rare cases where there is an immediate risk to someone's life or safety), and consent under Article 6(1)(a) (where you have opted in to communications). Where we rely on legitimate interest, we carry out a Legitimate Interest Assessment (LIA) to balance our business needs against your rights and freedoms. You can request a copy of any LIA from our DPO. For council referrals, Bubble Fresh acts as a data processor under Article 28 of UK GDPR and the legal basis for processing is determined by the referring council as data controller. Where we process council referral data for our own legitimate purposes (such as invoicing and contract management), we rely on Article 6(1)(b) contractual necessity.
Data sharing
We may share your data with council partners where required for service delivery and safeguarding purposes, with Safeguarding Adults Boards or other safeguarding bodies where we have a safeguarding concern (under legal obligation or vital interest), with waste disposal facilities for waste transfer documentation, with our IT service providers who help us operate our website and systems, with the Disclosure and Barring Service for staff vetting purposes, and with law enforcement or regulatory bodies where required by law. We have Data Processing Agreements compliant with Article 28(3) of UK GDPR in place with all third-party processors, including IT providers, cloud hosting, backup services, and body-worn camera storage providers. All third parties handle your data in accordance with data protection law. We do not share your personal data with any third party for marketing purposes. Where we use body-worn cameras, we have carried out a Data Protection Impact Assessment (DPIA) for that processing; see our Body-Worn Camera Policy for details.
Our role as data controller and processor
For enquiries received directly from individuals, Bubble Fresh acts as the data controller. For council referrals, we act as the data processor on behalf of the referring council, which remains the data controller. Where we act as a data processor, we process personal data only in accordance with the council's instructions and our contractual obligations, as required by Article 28 of UK GDPR. Where Bubble Fresh and a council partner jointly decide the purposes and means of processing personal data, we enter into a joint controller arrangement under Article 26 of UK GDPR. This arrangement sets out each party's responsibilities for meeting data protection obligations, including how we handle your rights requests. You can contact either Bubble Fresh or the relevant council to exercise your rights regardless of the arrangement between us.
Council referral data
Where services are arranged through a council referral, we process personal data as required by our contractual obligations with the referring authority. We ensure that a formal Data Sharing Agreement or Data Processing Agreement is in place with each council partner before data flows begin. Council referral data is used solely for delivering the referred service. When a council contract ends or a referral is complete, we return or securely delete the council's personal data in line with the terms of our agreement, unless we are required by law to keep it for longer.
International data transfers
We do not transfer your personal data outside the United Kingdom. All our hosting, backup, and processing systems are based in the UK. If this changes in future, we will update this policy and put appropriate safeguards in place, such as standard contractual clauses or an adequacy decision, in accordance with Chapter V of UK GDPR.
Automated decision-making
We do not use automated decision-making or profiling in relation to your personal data. Under Article 22 of UK GDPR and the Data (Use and Access) Act 2025, you have the right not to be subject to decisions based solely on automated processing that significantly affect you. If we ever introduce automated decision-making in the future, we will update this policy, carry out a DPIA, and make sure you can request human review of any automated decision.
Data retention
We keep personal data only for as long as necessary. Our retention periods are: enquiry data — 12 months; service records — 6 years (Limitation Act 1980); council referral data — per the relevant council's retention schedule; body-worn camera footage — 2 months (unless needed for an ongoing matter); website analytics — 12 months; employee personnel files — 6 years after leaving employment; DBS certificates — destroyed within 6 months of the recruitment decision (DBS Code of Practice), with a record of the check retained for 6 years; training records — 6 years after leaving employment; health surveillance records under the Control of Substances Hazardous to Health Regulations 2002 (COSHH) — 40 years from date of last entry (COSHH Regulations 2002 Regulation 11(4)); COSHH exposure monitoring records of identifiable individuals — 40 years (Regulation 10); incident and accident reports — 6 years (Limitation Act 1980); Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) records — minimum 3 years (RIDDOR 2013 Regulation 12); risk assessments — 6 years; safeguarding records — minimum 6 years from last contact or per the relevant Safeguarding Adults Board retention schedule; complaints records — 6 years; whistleblowing records — 6 years from closure of investigation; waste transfer notes — 2 years (or longer where required by a council contract); hazardous waste consignment notes — 3 years; and lone worker GPS location data — 30 days. When a retention period ends, we securely destroy the data. Electronic records are permanently deleted and paper records are shredded. A full data retention schedule is available on request from our DPO.
Data security
We protect your data through role-based access controls (only authorised personnel access personal data), encryption of data at rest (AES-256) and in transit (TLS 1.2 or above), secure storage with regular backups, regular security reviews, and staff confidentiality agreements. All staff sign a confidentiality agreement as a condition of employment, and our Code of Conduct reinforces their duty to protect personal data. Paper records containing personal data are stored in locked cabinets and disposed of by shredding. Our full approach to data security is set out in our Information Security Policy.
Data protection by design and default
In accordance with Article 25 of UK GDPR, we build data protection into everything we do from the start. This means we only collect the personal data we need for a clear purpose, we limit who can access your data to those who need it for their role, we carry out Data Protection Impact Assessments (DPIAs) before starting any processing that is likely to result in high risk to individuals, we use privacy-enhancing measures such as pseudonymisation and data minimisation where appropriate, and we review our systems and processes regularly to make sure they continue to protect your data. These principles apply equally when we act as a data processor on behalf of council partners. Our default settings always use the most privacy-friendly option.
Staff training and awareness
All Bubble Fresh staff receive data protection training when they join and at least once a year after that. Training covers the principles of UK GDPR and the Data Protection Act 2018, how to handle personal data safely, recognising and reporting data breaches, the rights of individuals whose data we process, and the extra care needed when working with data about vulnerable adults. Staff who handle council referral data receive additional training on their responsibilities as part of a data processor relationship. See our Training and Development Policy for more details.
Your rights
Under UK data protection law, you have the right to be informed about how your data is used, to access the personal data we hold about you, to request correction of inaccurate data, to request erasure of your data (the 'right to be forgotten') subject to legal obligations, to restrict processing of your data, to data portability (to receive your data in a structured, commonly used format), to object to processing including direct marketing, not to be subject to automated decision-making including profiling, and to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been infringed. Where we process your data based on legitimate interest under Article 6(1)(f), you have the right to object at any time under Article 21 of UK GDPR. If you object, we will stop processing your data for that purpose unless we can show compelling legitimate grounds that override your interests, rights, and freedoms, or we need the data for legal claims. Where we process your data based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To exercise any of these rights, contact our DPO at psuqriasinsevktaakskcvzayhgiqz@bzdtudzcbytlbaxjlrjteumwfaxvrchhehglspxihqah.smccsawohrp.dwqutcoknpg, call 01933 213045, or use Relay UK on 18001 then 01933 213045. You can also write to us at Bubblefresh Limited, 6 Carnegie Street, Rushden, Northamptonshire, NN10 9SN. There is no charge for exercising your rights. We may charge a reasonable fee or refuse a request only if it is clearly unfounded or excessive. We will respond within one month. If your request is complex or we receive many requests, we may extend this by up to two further months. We will let you know if we need to do this and explain why. If your request relates to data we process on behalf of a council as data processor, we may need to pass it to the council to respond. We will tell you if this is the case.
Data breaches
In the event of a personal data breach, we will assess the risk to individuals and, where required, notify the Information Commissioner's Office (ICO) within 72 hours in accordance with Article 33 of UK GDPR. If the breach is likely to result in a high risk to your rights, we will also notify you directly in accordance with Article 34 of UK GDPR, explaining what happened, what data was affected, what we are doing about it, and what you can do. Where a breach affects data processed on behalf of a council partner, we will notify the council without undue delay in accordance with our Data Processing Agreement. All breaches, whether or not they meet the ICO notification threshold, are recorded in our breach log and investigated. Our Incident Reporting Policy sets out the full process for identifying, reporting, and learning from incidents including data breaches.
Cookies
Our website uses cookies to improve your experience. For full details, see our Cookie Policy.
Changes to this policy
We may update this policy from time to time. Any changes will be posted on this page with an updated date. Where we make significant changes that affect the legal basis, purposes, retention, or sharing of your personal data, we will give you at least 30 days' notice before the changes take effect. We will notify you by email (if we hold your email address) or by a prominent notice on our website. Minor changes, such as correcting a typo or updating contact details, may be made without advance notice. We encourage you to review this policy from time to time.
Contact and complaints
If you have questions about this privacy policy or how we handle your data, contact our DPO at ppburrhtiwssvmwdagcfctfiyjgxqz@bdkeucwebrotbhsdlvjgeoomfmgmrktoenwysfzvhspe.ugrctcuoneh.arkuvalkzuy, by phone on 01933 213045, via Relay UK on 18001 then 01933 213045, or by post at Bubblefresh Limited, 6 Carnegie Street, Rushden, Northamptonshire, NN10 9SN. Bubble Fresh (Bubblefresh Limited, company number 12691029) is registered with the ICO (registration: ZB656998). In accordance with the Data (Use and Access) Act 2025, we provide an electronic complaints mechanism for data protection concerns: you can email pqjcrersilozvbzzaaqacyozywgxqz@bhhlupfjbepabjajljmaeukwfgkcryhqegkvswhuhdat.yprcvzaoxmx.gkcuilikijc at any time. You can also raise concerns through our Complaints Procedure. We will acknowledge any data protection complaint within 30 days and respond without undue delay. If you are not satisfied with our response, you have the right to lodge a complaint with the ICO at ico.org.uk. You can also contact the ICO at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Helpline: 0303 123 1113.
Review
The Director, Lance James, reviews this policy annually and updates it to reflect changes in legislation, guidance, or best practice. Last reviewed: February 2026. Next review due: February 2027.