This Privacy Policy explains how CleanerMatcher OÜ ('we', 'us', 'our') collects, processes, stores, shares, and protects Personal Data in connection with the operation of the CleanerMatcher digital marketplace. We are committed to processing Personal Data lawfully, fairly, and transparently in accordance with the GDPR, the Estonian Personal Data Protection Act, and all other applicable data protection legislation.
1. Who we Are — Data Controler
1.1 Data Controller. CleanerMatcher OÜ, registry code 17438108, Tuukri tn 19-202, 10120 Tallinn, Estonia, is the data controller responsible for the processing of Personal Data described in this Policy.
1.2 Data Protection Contact. You may contact us regarding data protection matters at [email protected] or at the registered address above.
1.3 Supervisory Authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, Estonia (www.aki.ee). If you are habitually resident in another EU member state, you also have the right to lodge a complaint with the supervisory authority of that state.
2. Personal Data We Collect
2.1 Customer Data. We collect the following categories of Personal Data from Customers:
(a) Identity Data: full name, date of birth (for age verification), identification document details where required.
(b) Contact Data: email address, phone number, billing and service address.
(c) Account Data: username, password (hashed), account preferences.
(d) Booking Data: Booking history, service addresses, special requirements, access instructions.
(e) Financial Data: payment method details (processed by our payment service provider; we do not store full card numbers), transaction history.
(f) Communications: messages exchanged through the Platform, Customer support correspondence.
(g) Usage Data: IP address, browser type, device identifiers, Platform interaction data, log files, and cookies (see Clause 11).
(h) Review Data: ratings and written reviews submitted by you.
2.2 Provider Data. We collect the following categories of Personal Data from Providers and their representatives:
(a) Identity Data: full name, identification document details, date of birth.
(b) Contact and Business Data: email address, phone number, registered business address, company registration number, VAT number.
(c) Account Data: Provider Account credentials, service listings, pricing information.
(d) Personnel Data: names and details of personnel listed on the Platform.
(e) Financial Data: bank account details for remittances, Commission statements, transaction history.
(f) Compliance Data: insurance certificates, licences, permits, right to work documentation.
(g) Usage Data: Platform access logs, Booking management activity.
2.3 Special Categories. We do not intentionally collect special categories of Personal Data as defined in GDPR Article 9. If such data is incidentally provided, it will be deleted promptly.
2.4 Children. The Platform is not directed at children under eighteen (18). We do not knowingly collect Personal Data from persons under eighteen (18). If we become aware that such data has been provided without a valid legal basis, we will delete it promptly.
3. Legal Bases for Processing
3.1 We process Personal Data on the following legal bases:
| Purpose | Data Categories | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Account registration and management | Identity, Contact, Account Data | Art. 6(1)(b) — contract performance |
| Processing Bookings and payments | Booking, Financial, Contact Data | Art. 6(1)(b) — contract performance |
| Provider onboarding and compliance | Identity, Compliance, Business Data | Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation |
| Fraud detection and Platform security | Identity, Usage, Financial Data | Art. 6(1)(f) — legitimate interests, necessary for preventing fraud, abuse, and ensuring Platform security |
| Customer support and dispute handling | Communications, Booking, Identity Data | Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interests |
| Platform improvement and analytics | Usage, Account Data (anonymised where possible) | Art. 6(1)(f) — legitimate interests, based on our interest in improving and optimising the Platform, subject to a balancing test ensuring your rights and freedoms are not overridden |
| Marketing and promotional communications | Contact, Account Data | Art. 6(1)(a) — consent (withdrawable at any time) |
| Compliance with legal obligations | All categories as required | Art. 6(1)(c) — legal obligation |
5. International Transfers
5.1 We process Personal Data primarily within the European Economic Area (EEA).
5.2 Where Personal Data is transferred to a third country outside the EEA, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission under GDPR Article 46(2)(c), or that the transfer is to a country subject to an adequacy decision under GDPR Article 45.
5.3 You may request a copy of the applicable transfer safeguards by contacting [email protected].
6. Retention of Personal Data
6.1 We retain Personal Data only for as long as necessary for the purposes for which it was collected, subject to the following retention periods:
| Data Category | Retention Period | Basis |
|---|---|---|
| Customer account data | Duration of account + 3 years | Contract performance, legal claims |
| Booking and transaction records | 7 years from transaction date | legal obligation (accounting and tax legislation) |
| Provider account and compliance data | Duration of Agreement + 5 years | legal obligation and limitation period for potential claims |
| Customer support communications | 3 years from resolution | Art. 6(1)(f) legitimate interests (handling and defending legal claims, service quality management) |
| Marketing consent records | Until consent withdrawn + 1 year | to evidence consent compliance under GDPR accountability requirements |
6.2 Upon expiry of the applicable retention period, Personal Data will be securely deleted or anonymised.
7. Your Data Subject Rights
7.1 Under GDPR, you have the following rights in respect of your Personal Data:
Right of Access (Art. 15): to obtain a copy of your Personal Data and information about how we process it.
Right to Rectification (Art. 16): to have inaccurate Personal Data corrected.
Right to Erasure (Art. 17): to have Personal Data deleted where no longer necessary, or where processing is unlawful.
Right to Restriction (Art. 18): to restrict processing in certain circumstances.
Right to Data Portability (Art. 20): to receive your Personal Data in a structured, machine-readable format and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means
Right to Object (Art. 21): to object to processing based on legitimate interests, including for direct marketing purposes.
Right to Withdraw Consent (Art. 7(3)): where processing is based on consent, to withdraw consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint (Art. 77): to lodge a complaint with the Estonian Data Protection Inspectorate or the supervisory authority of your EU member state.
7.2 To exercise any right, submit a written request to [email protected]. We will respond within one (1) calendar month of receipt. Complex requests may be extended by a further two (2) months with prior notification.
7.3 We may request verification of your identity before processing a request. We will not charge a fee for reasonable requests.
8. Data Security
8.1 We implement technical and organisational security measures appropriate to the risk of processing, including:
(a) encryption of Personal Data at rest and in transit;
(b) access controls and authentication measures;
(c) regular security testing and vulnerability assessments;
(d) staff training on data protection obligations.
8.2 In the event of a Personal Data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Article 34. Where applicable, we will also notify the supervisory authority within seventy-two (72) hours of becoming aware of the breach in accordance with Article 33.
8.3 No method of transmission over the internet is completely secure. While we take every reasonable precaution, we cannot guarantee absolute security.
9. Automated Decision-Making and Profiling
9.1 We use automated processes to rank Provider search results and allocate Bookings based on Provider ratings, response time, location, and availability. These processes are designed not to produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 GDPR.
9.2 We do not carry out automated decision-making that produces legal effects against users without human review.
9.3 Where we use profiling for direct marketing purposes, we will only do so based on your consent, and you may object at any time.
10. Third-Party Services and Links
10.1 The Platform may contain links to third-party websites or services. We are not responsible for the data practices of third parties. We encourage you to review the privacy policies of any third-party services you access.
10.2 Where we engage third-party processors, we ensure that appropriate Article 28 data processing agreements are in place requiring them to process Personal Data only on our instructions, implement appropriate security measures, and not sub-process without our consent.
12. Marketing Communications
12.1 With your consent, we may send you marketing emails, SMS messages, or in-app notifications about services, promotions, and Platform updates.
12.2 You may withdraw consent at any time by: (a) clicking 'unsubscribe' in any marketing email; (b) updating your communication preferences in your account settings; or (c) contacting [email protected].
12.3 Withdrawal of marketing consent does not affect transactional communications relating to Bookings or account management.
13. CHANGES TO THIS POLICY
13.1 We may update this Privacy Policy to reflect changes in our processing activities or Applicable Law. We will notify you of material changes by email or in-app notification at least fourteen (14) calendar days before they take effect.
13.2 The current version of this Policy is always available at cleanermatcher.com/privacy.
14. CONTACT US
14.1 All data protection enquiries and requests should be directed to: