Privacy Policy
Kwiklow Privacy Policy – Legal SummaryWho We Are
Kwiklow Ltd is a UK-based company providing a digital platform that connects clients with local service providers. We act as a data controller under the UK General Data Protection Regulation (UK GDPR).What Data We Collect
We collect personal data including your name, contact details, job history, payment information, location (if enabled), messages, and device data. This information is gathered through direct input, automated tracking, and integration with third-party services (e.g. payment processors or ID verification providers).Why We Collect It
We use your data to deliver our services, process payments, manage accounts, prevent fraud, personalise user experience, communicate with you, and comply with legal obligations. We also use data (with consent) for marketing and performance analytics.Our Legal Grounds
We process your data under the following legal bases: contractual necessity (e.g. job fulfilment), legitimate interest (e.g. platform security), consent (e.g. marketing or optional features), and legal obligation (e.g. tax compliance).Who We Share It With
Your data may be shared with secure third-party processors including hosting providers, analytics services, customer support tools, and payment processors. We never sell your data. Transfers outside the UK are protected by appropriate safeguards.How Long We Keep It
We retain your data only as long as necessary. Job records, payments, and support history are kept for up to six years to meet legal obligations. Inactive accounts may be deleted after 24 months. You may request deletion at any time, subject to exceptions.Your Rights
You have the right to access, correct, delete, or restrict your personal data. You can object to certain uses or withdraw consent at any time. You can also request a copy of your data or have it transferred elsewhere.Security Measures
We use encryption, secure data centres, access controls, and regular audits to protect your data. All systems are monitored and tested regularly for vulnerabilities. Data breaches are reported to the ICO within 72 hours where required.Contact
Email: contact@kwiklow.com
Post: Kwiklow Ltd, 20 Wenlock Road, London, N1 7GU, UK
Effective Date: 05/05/2025 1. Data CollectionKwiklow Ltd collects personal and usage data solely for the purpose of operating and improving its platform, ensuring lawful service delivery, and protecting user interests. This section details the types of data we collect, the methods through which collection occurs, and the rationale behind it.1.1 Categories of Data CollectedWe collect the following categories of data when you interact with our services:a) Identity Data
Full name, username, user ID, date of birth, profile photo (if uploaded), and government-issued identification (when identity verification is required).b) Contact Data
Mobile number, email address, postal address (if necessary for the service), and any alternate contact methods you choose to provide.c) Service Interaction Data
Details of projects posted, services requested, bids submitted, job acceptances, task completion records, reviews, and disputes. This includes time stamps, locations, and the history of service provider–client interactions.d) Financial Data
Bank account details, payment card data, payment preferences, wallet balances (where applicable), cryptocurrency wallet addresses, and transaction records. We do not store full payment card details on our servers; these are processed securely by our payment partners.e) Communication Data
Messages sent via in-app chat, support queries, emails to our helpdesk, feedback, and voice messages (if applicable). This data is retained for dispute resolution, compliance, and service improvement purposes.f) Device and Technical Data
IP address, device type, operating system, browser version, unique device identifiers, language settings, crash reports, and diagnostics. This helps us optimise performance, detect suspicious activity, and ensure platform security.g) Location Data
Where enabled, we may collect approximate or precise geolocation data during active use of the app—for instance, to show nearby service providers or confirm job completion on-site. Users have full control over location permissions in their device settings.h) Usage Data
Data on how you use our app or website, including time spent, navigation behaviour, clicks, search queries, referral sources, and interactions with service listings or advertisements.1.2 How Data Is CollectedWe gather data through the following methods:a) Direct Input by the User
When you register, complete your profile, post a job, submit a bid, communicate with others, or make a payment, you knowingly provide data to us. You are responsible for ensuring the accuracy of any data you input.b) Automated Collection via Technology
As you use the platform, we automatically collect device and usage data using cookies, software development kits (SDKs), mobile analytics, and server logs. These tools are deployed solely to support functionality, diagnostics, fraud detection, and service improvement.c) Third-Party Integrations
Where you link your Kwiklow account with third-party services (such as payment gateways, social login providers, or ID verification platforms), we receive information as permitted under the connected platform’s privacy terms.d) Customer Support and Feedback
When you contact customer support or submit feedback, we retain the data you provide to ensure continuity, resolve queries efficiently, and improve user experience.e) Cookies and Similar Technologies
Our website and app use cookies and similar identifiers to recognise you, remember preferences, and analyse platform use. You may control cookie preferences through your browser or mobile settings. Essential cookies cannot be disabled without affecting functionality.1.3 Justification for Data CollectionKwiklow collects personal data only where there is a clear legal basis and operational need. Every item collected serves one or more of the following justifications:To establish and verify user identity
Prevents fraud, ensures trust between users, and supports compliance with Know Your Customer (KYC) obligations where applicable.To facilitate service delivery
Enables users to post or accept jobs, communicate in real time, schedule work, and complete payment transactions.To ensure platform integrity and performance
Detects misuse, prevents platform abuse, enforces community standards, and improves app responsiveness and stability.To personalise user experience
Allows tailoring of content, recommended services, and search results based on user behaviour and preferences.To comply with legal and regulatory obligations
Includes obligations under tax law, anti-money laundering rules, and consumer protection laws.To support internal analytics and product improvement
Usage data enables continuous iteration of features, bug fixes, and strategic planning based on real user behaviour.1.4 Optional and Sensitive DataWe do not intentionally collect special category data (such as race, religion, health information, or political beliefs), and we strongly advise users not to submit such information unless required for legal or regulatory purposes. Where sensitive data is collected—for example, in identity verification—it is handled with heightened security controls and processed strictly under legal bases.Users may also choose to opt in to additional data collection features, such as enabling biometric login or allowing access to device photos or media when uploading service portfolios. These features are strictly opt-in and can be revoked at any time in user settings.2. Purpose of UseKwiklow Ltd processes personal data strictly for purposes that are lawful, transparent, and directly tied to the operation and improvement of its platform. This includes enabling core functionality, maintaining system security, supporting user engagement, and complying with applicable laws.We process identity, contact, and service interaction data to allow users to register, log in, manage accounts, and interact with one another. This includes posting jobs, submitting bids, negotiating terms, and confirming project completion. Communication data enables real-time dialogue between users, dispute resolution, and administrative support. These uses are fundamental to the platform’s operation and fall under the lawful basis of contractual necessity.Financial data is processed to enable secure payments, manage wallet balances, initiate refunds, and meet obligations under anti-money laundering and fraud regulations. We work with third-party payment processors to handle transactions securely. Transaction records are retained for accounting, auditing, and fraud detection. This processing is required both contractually and by law.Communication and notification systems rely on processing basic user data. We send transactional messages such as confirmation emails, bid alerts, service reminders, payment notices, and dispute outcomes. These messages are system-driven and necessary for platform operation. We also issue service announcements when changes to our terms, features, or legal requirements affect your use of the platform. For support interactions, we retain records of chats, emails, and tickets to ensure continuity and track resolution outcomes. These fall under both contractual necessity and legitimate interest.To improve user experience, we process usage data to personalise platform content. This includes tailoring service listings, suggesting relevant providers or projects, and adjusting visibility of features based on user preferences or history. We also use behavioural data to improve search ranking relevance, optimise navigation flow, and identify underperforming features. These activities support a smoother user journey and are justified by legitimate interest.We process technical and behavioural data to secure the platform. This includes monitoring IP addresses, access patterns, login locations, and device fingerprints. Suspicious activity such as account takeovers, bot usage, or fraud attempts is flagged automatically. We also monitor messages and content for abuse, spam, hate speech, and other breaches of our acceptable use terms. Where appropriate, this leads to action such as account suspension or reporting to authorities. These actions are based on legitimate interest and, where required, legal obligation.Marketing activity is consent-based. Users may choose to receive promotional emails, updates on new features, or relevant third-party offers. We may segment audiences to deliver more relevant campaigns, but no direct profiling occurs without user knowledge. You can opt in or out of marketing at any time in your account settings. We never sell personal data or share marketing information with external parties without clear, revocable consent. The legal basis for this processing is user consent.We use aggregated and pseudonymised data for internal analytics. This helps us understand platform performance, track user behaviour at a macro level, and prioritise development resources. Examples include analysing high-demand categories, understanding drop-off points in onboarding, or evaluating retention trends. No reports generated from analytics expose personal identities. The basis for this processing is legitimate interest, with safeguards in place to protect user anonymity.Certain optional features may involve additional data. For example, users may choose to enable location tracking for on-site job verification or allow access to camera and media files to upload project images. Participation in these features is strictly opt-in, with permissions managed by the user at the device level. No optional data is collected or processed without explicit and informed consent.All data processing is designed to be proportionate, necessary, and transparent. Where multiple purposes exist for the same data category, we apply the most restrictive legal basis and ensure compliance through internal governance and technical safeguards.3. Legal Bases for ProcessingKwiklow Ltd processes personal data only where there is a valid legal ground under the UK General Data Protection Regulation (UK GDPR). Each processing activity falls under one or more of the six lawful bases defined in Article 6 of the regulation. This section outlines how each base applies in practical terms within the platform.The primary basis is contractual necessity, which applies when we process data to fulfil a contract with the user. This includes creating and managing user accounts, facilitating job postings, enabling communication between clients and service providers, processing payments, tracking project progress, issuing invoices, managing disputes, and enforcing user terms. If users do not provide data required under this basis, we cannot deliver the core functions of the platform.Legitimate interest is used where data processing is essential for the operation, security, and growth of the platform, and where those interests are not overridden by the user’s rights or freedoms. Examples include fraud prevention, abuse detection, platform optimisation, interface testing, system maintenance, internal analytics, and the tailoring of user experience. We apply a balancing test to ensure that such processing is reasonable, minimally intrusive, and expected by the user. Data used under this basis is limited in scope and subject to opt-out mechanisms where possible.Consent is the basis we rely on for all non-essential processing. This includes receiving marketing communications, participating in promotional campaigns, enabling biometric login, allowing access to device media, and granting geolocation tracking when not strictly required for job performance. Consent is obtained explicitly, recorded securely, and can be withdrawn at any time through account settings or by contacting our support team. We do not use pre-ticked boxes or implied consent. Where consent is the only legal basis, no processing occurs without it.Legal obligation applies when we are required to process data under UK law or in response to official requests from regulatory authorities. This includes compliance with tax legislation, anti-money laundering checks, financial reporting requirements, consumer protection laws, and law enforcement disclosures. In such cases, we may retain records longer than usual and may disclose specific data to government or enforcement bodies without user consent, strictly in accordance with the law.In limited circumstances, we may process data under public interest or vital interests, although these are rarely relied upon. Public interest may apply if the processing supports a government-mandated initiative or regulatory function. Vital interests may apply in cases where the safety or well-being of an individual is at risk, and urgent action is required without time to obtain consent—for example, if we become aware of credible threats of harm communicated through the platform.Where more than one lawful basis applies to the same processing activity, we document and prioritise the basis offering the highest protection for the user. Our internal data mapping ensures each data category is linked to a lawful basis, and our staff are trained to follow those mappings strictly. No data is processed without legal justification, and no purpose is added retroactively without re-assessment of the appropriate legal basis.We also apply the principle of data minimisation in relation to all legal bases. This means that even where processing is legally justified, we limit the data collected to what is strictly necessary, avoid excessive retention, and restrict internal access to personnel with a defined operational need.Kwiklow maintains a Record of Processing Activities (ROPA) in accordance with Article 30 of the UK GDPR. This document logs every data flow, associated purpose, legal basis, and relevant safeguards, and is subject to review and audit. We are fully prepared to demonstrate compliance to the Information Commissioner’s Office (ICO) upon request.4. Data SharingKwiklow Ltd does not sell, rent, or trade personal data under any circumstances. However, in order to operate the platform effectively, provide core services, and comply with regulatory requirements, we may share user data with carefully selected third parties. This section details the categories of recipients, the purposes for sharing, and the safeguards in place.We share data with service providers and processors who support our core operations. These include cloud hosting providers, email and SMS gateways, analytics tools, customer support platforms, payment processors, and cybersecurity vendors. These parties operate under strict contractual agreements that bind them to confidentiality, data protection obligations, and the sole use of data for the purposes we instruct. They may not use or retain the data for their own benefit. Access is limited to the minimum necessary and monitored through audit and access control logs.We disclose relevant personal and financial data to payment service providers in order to process transactions, manage funds, and detect payment fraud. This includes banks, card processors, and in some cases, cryptocurrency gateway providers. All such partners are regulated entities, certified to industry standards (e.g. PCI DSS), and undergo periodic reviews by our compliance team. Kwiklow never stores full payment card details directly.Where a user chooses to link their account to a third-party platform, such as Google or Apple for social login, or an ID verification provider, we share the minimum necessary data required to facilitate that integration. These integrations are strictly opt-in and subject to the external platform’s own privacy terms. Kwiklow does not permit third-party platforms to reuse that data outside the scope of the original integration.In the event of a job dispute, claim, or investigation, we may share communication data, transaction logs, or account identifiers with the involved parties or with independent adjudicators where applicable. This is done solely to resolve the matter fairly and efficiently, and all disclosures are logged. If necessary, anonymised or redacted data is used to protect third-party privacy during the process.We may share data with law enforcement, courts, regulators, or tax authorities where required by law or in response to legally binding orders. Such disclosures are made only after formal verification of the request, and the scope of data disclosed is limited to what is explicitly required. In cases involving imminent harm or criminal activity, disclosures may occur without prior notice to the user, in accordance with our obligations under UK law.In the case of corporate restructuring, including mergers, acquisitions, or asset sales, data may be disclosed to potential buyers or advisors under confidentiality terms. In such scenarios, users will be notified prior to any material change in data control. The acquirer will be bound to honour existing privacy terms or to offer users the option to withdraw consent if terms change.We also share aggregated, anonymised, or pseudonymised data with research partners, industry analysts, and business stakeholders for the purpose of understanding platform trends, improving operations, and supporting strategic planning. These data sets are stripped of personal identifiers and cannot be used to re-identify individuals without access to restricted internal keys, which are never disclosed.All third-party sharing is governed by data processing agreements (DPAs) that define the purpose, duration, and scope of access. We maintain an internal vendor risk register and carry out periodic assessments of each third party’s security and compliance posture. No processor is retained without evidence of GDPR alignment and active technical controls in place.Where data is transferred outside the UK or EEA, we ensure compliance with international transfer requirements. This includes using recognised mechanisms such as UK Addendum to Standard Contractual Clauses (SCCs), adequacy decisions by the UK government, or other safeguards approved by the Information Commissioner’s Office. Transfer impact assessments (TIAs) are conducted prior to onboarding high-risk vendors in non-adequate jurisdictions.We maintain full visibility over all data sharing practices and offer users a complete record of the categories of data shared upon request. No third party is authorised to use personal data beyond the direct performance of contracted services, and we actively monitor compliance through audits, breach reports, and contract enforcement mechanisms.5. Data RetentionKwiklow Ltd retains personal data only for as long as it is necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, contractual, and operational requirements. Retention periods are determined based on the nature of the data, the context of processing, statutory requirements, and the risk associated with storage.Account data including identity, contact, and profile information is retained for the duration of the user’s active account. If a user closes their account, the associated personal data is deleted or anonymised within thirty days, unless retention is required for dispute resolution, fraud prevention, or legal compliance. Where a user has been banned or suspended for breach of terms, selected identifiers and evidence records may be retained for a longer period to prevent re-registration and support lawful enforcement.Transaction data including payment history, invoices, disbursements, and job activity is retained for a minimum of six years from the date of the transaction to comply with accounting, tax, and anti-money laundering obligations. This includes wallet activity, cryptocurrency payments, and fee structures. Where legal claims or audits are active, retention may be extended until those matters are concluded.Communication records including support queries, in-app messages, emails, and call logs are retained for up to three years to support dispute resolution, quality assurance, training, and legal accountability. If a specific communication thread becomes subject to investigation or legal proceedings, it may be preserved beyond the standard retention period until no longer needed for evidentiary purposes.Technical data including logs, device identifiers, and system access records are generally retained for up to twelve months unless linked to a known incident. In cases of fraud detection, data such as IP addresses, access tokens, and login timestamps may be retained longer and cross-referenced against historical patterns to support future risk mitigation.Cookies and similar technologies used for functional or analytical purposes are retained in accordance with their individual expiry settings, typically ranging from one session to six months. Users can manage cookie storage via their browser settings or in-app preferences, and essential cookies cannot be disabled without impacting core functionality.Anonymised and aggregated data used for business analytics, reporting, or strategic planning may be retained indefinitely, provided it cannot be linked back to an identifiable individual. This includes usage metrics, trend analysis, and performance benchmarks, none of which carry personal risk when properly de-identified.Where users withdraw consent for optional features, the related data is deleted or rendered inaccessible immediately, except where such data is part of a broader record required under legal or contractual grounds. For example, revoking consent to receive marketing emails will not affect the retention of your job history, payment records, or dispute outcomes.If a user has no recorded activity on the platform for twenty-four consecutive months, their account is flagged as inactive. We may issue a reactivation prompt and, if no response is received, proceed to delete or anonymise personal data associated with the inactive account. Certain essential data such as completed transaction records may still be retained for compliance purposes even after full account deletion.All data deletion processes are handled securely using industry-standard procedures, including irreversible anonymisation or cryptographic erasure. Data is removed from active systems and, where applicable, backup archives within a reasonable technical delay not exceeding ninety days. We maintain detailed deletion logs for auditability and accountability.Kwiklow applies data minimisation and retention limitation as core principles of our data lifecycle management. Retention policies are reviewed biannually and updated to reflect regulatory changes, industry standards, and operational priorities. Users may request a detailed summary of retention timelines applicable to their data by contacting our privacy team.6. User RightsUnder the UK General Data Protection Regulation (UK GDPR), all individuals have enforceable rights concerning the personal data processed about them. Kwiklow Ltd recognises and upholds these rights, and provides clear, accessible mechanisms for users to exercise them. This section outlines your rights, the scope of each, and how to initiate a request.You have the right to access your personal data. This means you can request confirmation of whether we hold your data and receive a copy of it in a structured, commonly used format. Access requests typically include profile details, service interactions, payment records, and communication logs. Requests are processed within one calendar month, free of charge unless manifestly unfounded or excessive.You have the right to rectification, which allows you to request correction of inaccurate or incomplete personal data. This applies to names, contact information, identification documents, or any other stored detail. Most fields can be corrected directly through your account settings. Where manual updates are required, you may be asked to provide supporting documentation.You have the right to erasure, also known as the ‘right to be forgotten’. You may request that we delete your personal data in circumstances where the data is no longer needed, consent has been withdrawn, or the processing was unlawful. This right does not apply where data must be retained for legal obligations, fraud prevention, or ongoing contractual matters. When granted, erasure is carried out across all active systems and confirmed in writing.You have the right to restrict processing, which allows you to limit how your data is used in certain scenarios. This may apply while a rectification request is being verified, if you contest the legality of processing, or where data is no longer needed but must be preserved for legal defence. While restricted, your data will not be used for any purpose beyond storage and will be flagged accordingly in our systems.You have the right to data portability, which enables you to receive your personal data in a machine-readable format or request it be transferred to another controller. This applies only to data you have provided to us directly under contract or consent, such as job history, messages, and payment preferences. We deliver portable data in a secure JSON or CSV format via a secure download link.You have the right to object to processing carried out under the legitimate interest basis or for direct marketing purposes. If you object to legitimate interest processing, we will assess whether our grounds override your rights and freedoms before continuing. Objections to marketing are honoured immediately and without question, and can be managed through your settings or unsubscribe links in communications.You have the right to withdraw consent at any time where consent is the basis for processing. Withdrawal does not affect the lawfulness of processing prior to withdrawal. Revoking consent may disable certain features or services, such as location-based functions or promotional emails, and this will be clearly communicated before action is taken.You have the right not to be subject to automated decision-making, including profiling, where such decisions produce legal effects or similarly significant consequences. Kwiklow does not rely on solely automated decisions for outcomes such as account bans, payment holds, or dispute resolution. All such actions involve human review to ensure fairness and context.To exercise any of the above rights, you may contact our Data Protection Officer by email at privacy@kwiklow.com. Requests must include sufficient information to identify your account and verify your identity. We respond to all rights requests within one calendar month unless an extension is warranted due to complexity or volume, in which case you will be notified.If you believe your rights have not been respected, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent authority for data protection. Contact details are available at ico.org.uk. We encourage users to contact us first to resolve concerns directly wherever possible.7. SecurityKwiklow Ltd implements a multi-layered security framework to protect all personal data held on its platform from unauthorised access, alteration, disclosure, or destruction. This applies to data in transit, at rest, and in use. Security measures are designed in accordance with the principles of integrity, availability, and confidentiality, and are proportionate to the risk and sensitivity of the data being processed.All data is transmitted using secure encryption protocols such as TLS 1.2 or higher, ensuring that communication between user devices, backend infrastructure, and third-party services is protected from interception. Data stored within our infrastructure is encrypted using AES-256 or equivalent, and access to encrypted keys is tightly controlled using role-based access and hardware security modules where applicable. No plaintext storage of sensitive personal or financial data is permitted on any layer of the stack.Access to personal data within our systems is restricted to authorised personnel only. Internal access is governed by least-privilege principles, enforced by granular permissions, multi-factor authentication, session timeouts, and centralised access management tools. All access events are logged and subject to regular audits. Any elevation of privilege or exceptional access is logged, justified, and reviewed.Our infrastructure is hosted in secure, ISO 27001-certified data centres located within the UK or EEA. These facilities are physically secured with 24/7 monitoring, biometric access control, and redundant systems for power, cooling, and connectivity. Cloud environments are segmented to isolate sensitive workloads, and internal communications are encrypted across all service layers.Kwiklow employs active monitoring and intrusion detection to identify suspicious behaviour, brute-force attacks, account enumeration, or abnormal data access patterns. Automated alerting systems flag anomalies in real time, allowing our security team to investigate and respond immediately. In the event of a confirmed breach, we follow a strict incident response protocol, which includes isolating affected systems, assessing impact, notifying affected users, and reporting to the ICO within seventy-two hours as required under Article 33 of the UK GDPR.All application code is developed following secure development lifecycle practices. This includes peer-reviewed code, automated vulnerability scanning, dependency checks, and penetration testing by external security firms at least annually. Findings from any audit or test are tracked through resolution and closed only upon documented remediation.Mobile applications and APIs are hardened against common threats including injection attacks, cross-site scripting, man-in-the-middle attacks, and insecure direct object references. Rate limiting and behavioural throttling are applied to prevent denial of service attacks and abuse of service endpoints. Authentication tokens are signed, time-bound, and encrypted to ensure session integrity.User-level protections are also in place. Passwords are hashed using bcrypt with a high work factor and are never stored or transmitted in plaintext. We encourage strong password policies and offer multi-factor authentication (2FA) for enhanced security. Suspicious login activity, such as access from a new device or location, triggers warning messages and may result in session termination until verified.Kwiklow maintains a strict vendor management process to assess the security posture of all third-party processors. This includes security questionnaires, contractually binding data protection clauses, and review of certifications such as SOC 2, ISO 27001, and Cyber Essentials. No vendor is permitted to process data without evidence of ongoing compliance and incident response capability.We train all employees with access to personal data on secure handling procedures, phishing avoidance, and their responsibilities under the UK GDPR. Access to production environments is restricted to vetted personnel, and any breach of protocol results in disciplinary review.All backup data is encrypted, tested periodically for recoverability, and stored separately from production systems. Retention schedules for backups are defined based on data classification and business continuity requirements. Backups are not accessible to vendors or non-essential staff.Kwiklow conducts an annual security review and maintains an information security management system aligned with GDPR Article 32. This includes formal risk assessments, asset inventories, technical vulnerability reviews, and a roadmap of continuous improvement. Users may request a summary of our technical and organisational measures upon reasonable notice.8. ContactKwiklow Ltd takes all matters related to data protection and user privacy seriously. If you have questions, concerns, or requests regarding this privacy policy or your personal data, you may contact us directly. Our appointed Data Protection Officer (DPO) oversees compliance with the UK GDPR and is available to handle all enquiries relating to data access, rights, processing, or security incidents. You can contact the DPO by email at privacy@kwiklow.com or by post at Kwiklow Ltd, 20 Wenlock Road, London, N1 7GU, United Kingdom. Please include your full name, account email address, and a clear description of your request so we can verify your identity and respond efficiently. We typically respond within one calendar month, though more complex queries may require additional time in line with applicable regulations. For unresolved issues or if you believe we have failed to meet our legal obligations, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which can be contacted via ico.org.uk or by phone at 0303 123 1113. We encourage users to contact us first, as we are committed to resolving concerns directly, transparently, and promptly.
Kwiklow Ltd is a UK-based company providing a digital platform that connects clients with local service providers. We act as a data controller under the UK General Data Protection Regulation (UK GDPR).What Data We Collect
We collect personal data including your name, contact details, job history, payment information, location (if enabled), messages, and device data. This information is gathered through direct input, automated tracking, and integration with third-party services (e.g. payment processors or ID verification providers).Why We Collect It
We use your data to deliver our services, process payments, manage accounts, prevent fraud, personalise user experience, communicate with you, and comply with legal obligations. We also use data (with consent) for marketing and performance analytics.Our Legal Grounds
We process your data under the following legal bases: contractual necessity (e.g. job fulfilment), legitimate interest (e.g. platform security), consent (e.g. marketing or optional features), and legal obligation (e.g. tax compliance).Who We Share It With
Your data may be shared with secure third-party processors including hosting providers, analytics services, customer support tools, and payment processors. We never sell your data. Transfers outside the UK are protected by appropriate safeguards.How Long We Keep It
We retain your data only as long as necessary. Job records, payments, and support history are kept for up to six years to meet legal obligations. Inactive accounts may be deleted after 24 months. You may request deletion at any time, subject to exceptions.Your Rights
You have the right to access, correct, delete, or restrict your personal data. You can object to certain uses or withdraw consent at any time. You can also request a copy of your data or have it transferred elsewhere.Security Measures
We use encryption, secure data centres, access controls, and regular audits to protect your data. All systems are monitored and tested regularly for vulnerabilities. Data breaches are reported to the ICO within 72 hours where required.Contact
Email: contact@kwiklow.com
Post: Kwiklow Ltd, 20 Wenlock Road, London, N1 7GU, UK
Effective Date: 05/05/2025 1. Data CollectionKwiklow Ltd collects personal and usage data solely for the purpose of operating and improving its platform, ensuring lawful service delivery, and protecting user interests. This section details the types of data we collect, the methods through which collection occurs, and the rationale behind it.1.1 Categories of Data CollectedWe collect the following categories of data when you interact with our services:a) Identity Data
Full name, username, user ID, date of birth, profile photo (if uploaded), and government-issued identification (when identity verification is required).b) Contact Data
Mobile number, email address, postal address (if necessary for the service), and any alternate contact methods you choose to provide.c) Service Interaction Data
Details of projects posted, services requested, bids submitted, job acceptances, task completion records, reviews, and disputes. This includes time stamps, locations, and the history of service provider–client interactions.d) Financial Data
Bank account details, payment card data, payment preferences, wallet balances (where applicable), cryptocurrency wallet addresses, and transaction records. We do not store full payment card details on our servers; these are processed securely by our payment partners.e) Communication Data
Messages sent via in-app chat, support queries, emails to our helpdesk, feedback, and voice messages (if applicable). This data is retained for dispute resolution, compliance, and service improvement purposes.f) Device and Technical Data
IP address, device type, operating system, browser version, unique device identifiers, language settings, crash reports, and diagnostics. This helps us optimise performance, detect suspicious activity, and ensure platform security.g) Location Data
Where enabled, we may collect approximate or precise geolocation data during active use of the app—for instance, to show nearby service providers or confirm job completion on-site. Users have full control over location permissions in their device settings.h) Usage Data
Data on how you use our app or website, including time spent, navigation behaviour, clicks, search queries, referral sources, and interactions with service listings or advertisements.1.2 How Data Is CollectedWe gather data through the following methods:a) Direct Input by the User
When you register, complete your profile, post a job, submit a bid, communicate with others, or make a payment, you knowingly provide data to us. You are responsible for ensuring the accuracy of any data you input.b) Automated Collection via Technology
As you use the platform, we automatically collect device and usage data using cookies, software development kits (SDKs), mobile analytics, and server logs. These tools are deployed solely to support functionality, diagnostics, fraud detection, and service improvement.c) Third-Party Integrations
Where you link your Kwiklow account with third-party services (such as payment gateways, social login providers, or ID verification platforms), we receive information as permitted under the connected platform’s privacy terms.d) Customer Support and Feedback
When you contact customer support or submit feedback, we retain the data you provide to ensure continuity, resolve queries efficiently, and improve user experience.e) Cookies and Similar Technologies
Our website and app use cookies and similar identifiers to recognise you, remember preferences, and analyse platform use. You may control cookie preferences through your browser or mobile settings. Essential cookies cannot be disabled without affecting functionality.1.3 Justification for Data CollectionKwiklow collects personal data only where there is a clear legal basis and operational need. Every item collected serves one or more of the following justifications:To establish and verify user identity
Prevents fraud, ensures trust between users, and supports compliance with Know Your Customer (KYC) obligations where applicable.To facilitate service delivery
Enables users to post or accept jobs, communicate in real time, schedule work, and complete payment transactions.To ensure platform integrity and performance
Detects misuse, prevents platform abuse, enforces community standards, and improves app responsiveness and stability.To personalise user experience
Allows tailoring of content, recommended services, and search results based on user behaviour and preferences.To comply with legal and regulatory obligations
Includes obligations under tax law, anti-money laundering rules, and consumer protection laws.To support internal analytics and product improvement
Usage data enables continuous iteration of features, bug fixes, and strategic planning based on real user behaviour.1.4 Optional and Sensitive DataWe do not intentionally collect special category data (such as race, religion, health information, or political beliefs), and we strongly advise users not to submit such information unless required for legal or regulatory purposes. Where sensitive data is collected—for example, in identity verification—it is handled with heightened security controls and processed strictly under legal bases.Users may also choose to opt in to additional data collection features, such as enabling biometric login or allowing access to device photos or media when uploading service portfolios. These features are strictly opt-in and can be revoked at any time in user settings.2. Purpose of UseKwiklow Ltd processes personal data strictly for purposes that are lawful, transparent, and directly tied to the operation and improvement of its platform. This includes enabling core functionality, maintaining system security, supporting user engagement, and complying with applicable laws.We process identity, contact, and service interaction data to allow users to register, log in, manage accounts, and interact with one another. This includes posting jobs, submitting bids, negotiating terms, and confirming project completion. Communication data enables real-time dialogue between users, dispute resolution, and administrative support. These uses are fundamental to the platform’s operation and fall under the lawful basis of contractual necessity.Financial data is processed to enable secure payments, manage wallet balances, initiate refunds, and meet obligations under anti-money laundering and fraud regulations. We work with third-party payment processors to handle transactions securely. Transaction records are retained for accounting, auditing, and fraud detection. This processing is required both contractually and by law.Communication and notification systems rely on processing basic user data. We send transactional messages such as confirmation emails, bid alerts, service reminders, payment notices, and dispute outcomes. These messages are system-driven and necessary for platform operation. We also issue service announcements when changes to our terms, features, or legal requirements affect your use of the platform. For support interactions, we retain records of chats, emails, and tickets to ensure continuity and track resolution outcomes. These fall under both contractual necessity and legitimate interest.To improve user experience, we process usage data to personalise platform content. This includes tailoring service listings, suggesting relevant providers or projects, and adjusting visibility of features based on user preferences or history. We also use behavioural data to improve search ranking relevance, optimise navigation flow, and identify underperforming features. These activities support a smoother user journey and are justified by legitimate interest.We process technical and behavioural data to secure the platform. This includes monitoring IP addresses, access patterns, login locations, and device fingerprints. Suspicious activity such as account takeovers, bot usage, or fraud attempts is flagged automatically. We also monitor messages and content for abuse, spam, hate speech, and other breaches of our acceptable use terms. Where appropriate, this leads to action such as account suspension or reporting to authorities. These actions are based on legitimate interest and, where required, legal obligation.Marketing activity is consent-based. Users may choose to receive promotional emails, updates on new features, or relevant third-party offers. We may segment audiences to deliver more relevant campaigns, but no direct profiling occurs without user knowledge. You can opt in or out of marketing at any time in your account settings. We never sell personal data or share marketing information with external parties without clear, revocable consent. The legal basis for this processing is user consent.We use aggregated and pseudonymised data for internal analytics. This helps us understand platform performance, track user behaviour at a macro level, and prioritise development resources. Examples include analysing high-demand categories, understanding drop-off points in onboarding, or evaluating retention trends. No reports generated from analytics expose personal identities. The basis for this processing is legitimate interest, with safeguards in place to protect user anonymity.Certain optional features may involve additional data. For example, users may choose to enable location tracking for on-site job verification or allow access to camera and media files to upload project images. Participation in these features is strictly opt-in, with permissions managed by the user at the device level. No optional data is collected or processed without explicit and informed consent.All data processing is designed to be proportionate, necessary, and transparent. Where multiple purposes exist for the same data category, we apply the most restrictive legal basis and ensure compliance through internal governance and technical safeguards.3. Legal Bases for ProcessingKwiklow Ltd processes personal data only where there is a valid legal ground under the UK General Data Protection Regulation (UK GDPR). Each processing activity falls under one or more of the six lawful bases defined in Article 6 of the regulation. This section outlines how each base applies in practical terms within the platform.The primary basis is contractual necessity, which applies when we process data to fulfil a contract with the user. This includes creating and managing user accounts, facilitating job postings, enabling communication between clients and service providers, processing payments, tracking project progress, issuing invoices, managing disputes, and enforcing user terms. If users do not provide data required under this basis, we cannot deliver the core functions of the platform.Legitimate interest is used where data processing is essential for the operation, security, and growth of the platform, and where those interests are not overridden by the user’s rights or freedoms. Examples include fraud prevention, abuse detection, platform optimisation, interface testing, system maintenance, internal analytics, and the tailoring of user experience. We apply a balancing test to ensure that such processing is reasonable, minimally intrusive, and expected by the user. Data used under this basis is limited in scope and subject to opt-out mechanisms where possible.Consent is the basis we rely on for all non-essential processing. This includes receiving marketing communications, participating in promotional campaigns, enabling biometric login, allowing access to device media, and granting geolocation tracking when not strictly required for job performance. Consent is obtained explicitly, recorded securely, and can be withdrawn at any time through account settings or by contacting our support team. We do not use pre-ticked boxes or implied consent. Where consent is the only legal basis, no processing occurs without it.Legal obligation applies when we are required to process data under UK law or in response to official requests from regulatory authorities. This includes compliance with tax legislation, anti-money laundering checks, financial reporting requirements, consumer protection laws, and law enforcement disclosures. In such cases, we may retain records longer than usual and may disclose specific data to government or enforcement bodies without user consent, strictly in accordance with the law.In limited circumstances, we may process data under public interest or vital interests, although these are rarely relied upon. Public interest may apply if the processing supports a government-mandated initiative or regulatory function. Vital interests may apply in cases where the safety or well-being of an individual is at risk, and urgent action is required without time to obtain consent—for example, if we become aware of credible threats of harm communicated through the platform.Where more than one lawful basis applies to the same processing activity, we document and prioritise the basis offering the highest protection for the user. Our internal data mapping ensures each data category is linked to a lawful basis, and our staff are trained to follow those mappings strictly. No data is processed without legal justification, and no purpose is added retroactively without re-assessment of the appropriate legal basis.We also apply the principle of data minimisation in relation to all legal bases. This means that even where processing is legally justified, we limit the data collected to what is strictly necessary, avoid excessive retention, and restrict internal access to personnel with a defined operational need.Kwiklow maintains a Record of Processing Activities (ROPA) in accordance with Article 30 of the UK GDPR. This document logs every data flow, associated purpose, legal basis, and relevant safeguards, and is subject to review and audit. We are fully prepared to demonstrate compliance to the Information Commissioner’s Office (ICO) upon request.4. Data SharingKwiklow Ltd does not sell, rent, or trade personal data under any circumstances. However, in order to operate the platform effectively, provide core services, and comply with regulatory requirements, we may share user data with carefully selected third parties. This section details the categories of recipients, the purposes for sharing, and the safeguards in place.We share data with service providers and processors who support our core operations. These include cloud hosting providers, email and SMS gateways, analytics tools, customer support platforms, payment processors, and cybersecurity vendors. These parties operate under strict contractual agreements that bind them to confidentiality, data protection obligations, and the sole use of data for the purposes we instruct. They may not use or retain the data for their own benefit. Access is limited to the minimum necessary and monitored through audit and access control logs.We disclose relevant personal and financial data to payment service providers in order to process transactions, manage funds, and detect payment fraud. This includes banks, card processors, and in some cases, cryptocurrency gateway providers. All such partners are regulated entities, certified to industry standards (e.g. PCI DSS), and undergo periodic reviews by our compliance team. Kwiklow never stores full payment card details directly.Where a user chooses to link their account to a third-party platform, such as Google or Apple for social login, or an ID verification provider, we share the minimum necessary data required to facilitate that integration. These integrations are strictly opt-in and subject to the external platform’s own privacy terms. Kwiklow does not permit third-party platforms to reuse that data outside the scope of the original integration.In the event of a job dispute, claim, or investigation, we may share communication data, transaction logs, or account identifiers with the involved parties or with independent adjudicators where applicable. This is done solely to resolve the matter fairly and efficiently, and all disclosures are logged. If necessary, anonymised or redacted data is used to protect third-party privacy during the process.We may share data with law enforcement, courts, regulators, or tax authorities where required by law or in response to legally binding orders. Such disclosures are made only after formal verification of the request, and the scope of data disclosed is limited to what is explicitly required. In cases involving imminent harm or criminal activity, disclosures may occur without prior notice to the user, in accordance with our obligations under UK law.In the case of corporate restructuring, including mergers, acquisitions, or asset sales, data may be disclosed to potential buyers or advisors under confidentiality terms. In such scenarios, users will be notified prior to any material change in data control. The acquirer will be bound to honour existing privacy terms or to offer users the option to withdraw consent if terms change.We also share aggregated, anonymised, or pseudonymised data with research partners, industry analysts, and business stakeholders for the purpose of understanding platform trends, improving operations, and supporting strategic planning. These data sets are stripped of personal identifiers and cannot be used to re-identify individuals without access to restricted internal keys, which are never disclosed.All third-party sharing is governed by data processing agreements (DPAs) that define the purpose, duration, and scope of access. We maintain an internal vendor risk register and carry out periodic assessments of each third party’s security and compliance posture. No processor is retained without evidence of GDPR alignment and active technical controls in place.Where data is transferred outside the UK or EEA, we ensure compliance with international transfer requirements. This includes using recognised mechanisms such as UK Addendum to Standard Contractual Clauses (SCCs), adequacy decisions by the UK government, or other safeguards approved by the Information Commissioner’s Office. Transfer impact assessments (TIAs) are conducted prior to onboarding high-risk vendors in non-adequate jurisdictions.We maintain full visibility over all data sharing practices and offer users a complete record of the categories of data shared upon request. No third party is authorised to use personal data beyond the direct performance of contracted services, and we actively monitor compliance through audits, breach reports, and contract enforcement mechanisms.5. Data RetentionKwiklow Ltd retains personal data only for as long as it is necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, contractual, and operational requirements. Retention periods are determined based on the nature of the data, the context of processing, statutory requirements, and the risk associated with storage.Account data including identity, contact, and profile information is retained for the duration of the user’s active account. If a user closes their account, the associated personal data is deleted or anonymised within thirty days, unless retention is required for dispute resolution, fraud prevention, or legal compliance. Where a user has been banned or suspended for breach of terms, selected identifiers and evidence records may be retained for a longer period to prevent re-registration and support lawful enforcement.Transaction data including payment history, invoices, disbursements, and job activity is retained for a minimum of six years from the date of the transaction to comply with accounting, tax, and anti-money laundering obligations. This includes wallet activity, cryptocurrency payments, and fee structures. Where legal claims or audits are active, retention may be extended until those matters are concluded.Communication records including support queries, in-app messages, emails, and call logs are retained for up to three years to support dispute resolution, quality assurance, training, and legal accountability. If a specific communication thread becomes subject to investigation or legal proceedings, it may be preserved beyond the standard retention period until no longer needed for evidentiary purposes.Technical data including logs, device identifiers, and system access records are generally retained for up to twelve months unless linked to a known incident. In cases of fraud detection, data such as IP addresses, access tokens, and login timestamps may be retained longer and cross-referenced against historical patterns to support future risk mitigation.Cookies and similar technologies used for functional or analytical purposes are retained in accordance with their individual expiry settings, typically ranging from one session to six months. Users can manage cookie storage via their browser settings or in-app preferences, and essential cookies cannot be disabled without impacting core functionality.Anonymised and aggregated data used for business analytics, reporting, or strategic planning may be retained indefinitely, provided it cannot be linked back to an identifiable individual. This includes usage metrics, trend analysis, and performance benchmarks, none of which carry personal risk when properly de-identified.Where users withdraw consent for optional features, the related data is deleted or rendered inaccessible immediately, except where such data is part of a broader record required under legal or contractual grounds. For example, revoking consent to receive marketing emails will not affect the retention of your job history, payment records, or dispute outcomes.If a user has no recorded activity on the platform for twenty-four consecutive months, their account is flagged as inactive. We may issue a reactivation prompt and, if no response is received, proceed to delete or anonymise personal data associated with the inactive account. Certain essential data such as completed transaction records may still be retained for compliance purposes even after full account deletion.All data deletion processes are handled securely using industry-standard procedures, including irreversible anonymisation or cryptographic erasure. Data is removed from active systems and, where applicable, backup archives within a reasonable technical delay not exceeding ninety days. We maintain detailed deletion logs for auditability and accountability.Kwiklow applies data minimisation and retention limitation as core principles of our data lifecycle management. Retention policies are reviewed biannually and updated to reflect regulatory changes, industry standards, and operational priorities. Users may request a detailed summary of retention timelines applicable to their data by contacting our privacy team.6. User RightsUnder the UK General Data Protection Regulation (UK GDPR), all individuals have enforceable rights concerning the personal data processed about them. Kwiklow Ltd recognises and upholds these rights, and provides clear, accessible mechanisms for users to exercise them. This section outlines your rights, the scope of each, and how to initiate a request.You have the right to access your personal data. This means you can request confirmation of whether we hold your data and receive a copy of it in a structured, commonly used format. Access requests typically include profile details, service interactions, payment records, and communication logs. Requests are processed within one calendar month, free of charge unless manifestly unfounded or excessive.You have the right to rectification, which allows you to request correction of inaccurate or incomplete personal data. This applies to names, contact information, identification documents, or any other stored detail. Most fields can be corrected directly through your account settings. Where manual updates are required, you may be asked to provide supporting documentation.You have the right to erasure, also known as the ‘right to be forgotten’. You may request that we delete your personal data in circumstances where the data is no longer needed, consent has been withdrawn, or the processing was unlawful. This right does not apply where data must be retained for legal obligations, fraud prevention, or ongoing contractual matters. When granted, erasure is carried out across all active systems and confirmed in writing.You have the right to restrict processing, which allows you to limit how your data is used in certain scenarios. This may apply while a rectification request is being verified, if you contest the legality of processing, or where data is no longer needed but must be preserved for legal defence. While restricted, your data will not be used for any purpose beyond storage and will be flagged accordingly in our systems.You have the right to data portability, which enables you to receive your personal data in a machine-readable format or request it be transferred to another controller. This applies only to data you have provided to us directly under contract or consent, such as job history, messages, and payment preferences. We deliver portable data in a secure JSON or CSV format via a secure download link.You have the right to object to processing carried out under the legitimate interest basis or for direct marketing purposes. If you object to legitimate interest processing, we will assess whether our grounds override your rights and freedoms before continuing. Objections to marketing are honoured immediately and without question, and can be managed through your settings or unsubscribe links in communications.You have the right to withdraw consent at any time where consent is the basis for processing. Withdrawal does not affect the lawfulness of processing prior to withdrawal. Revoking consent may disable certain features or services, such as location-based functions or promotional emails, and this will be clearly communicated before action is taken.You have the right not to be subject to automated decision-making, including profiling, where such decisions produce legal effects or similarly significant consequences. Kwiklow does not rely on solely automated decisions for outcomes such as account bans, payment holds, or dispute resolution. All such actions involve human review to ensure fairness and context.To exercise any of the above rights, you may contact our Data Protection Officer by email at privacy@kwiklow.com. Requests must include sufficient information to identify your account and verify your identity. We respond to all rights requests within one calendar month unless an extension is warranted due to complexity or volume, in which case you will be notified.If you believe your rights have not been respected, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent authority for data protection. Contact details are available at ico.org.uk. We encourage users to contact us first to resolve concerns directly wherever possible.7. SecurityKwiklow Ltd implements a multi-layered security framework to protect all personal data held on its platform from unauthorised access, alteration, disclosure, or destruction. This applies to data in transit, at rest, and in use. Security measures are designed in accordance with the principles of integrity, availability, and confidentiality, and are proportionate to the risk and sensitivity of the data being processed.All data is transmitted using secure encryption protocols such as TLS 1.2 or higher, ensuring that communication between user devices, backend infrastructure, and third-party services is protected from interception. Data stored within our infrastructure is encrypted using AES-256 or equivalent, and access to encrypted keys is tightly controlled using role-based access and hardware security modules where applicable. No plaintext storage of sensitive personal or financial data is permitted on any layer of the stack.Access to personal data within our systems is restricted to authorised personnel only. Internal access is governed by least-privilege principles, enforced by granular permissions, multi-factor authentication, session timeouts, and centralised access management tools. All access events are logged and subject to regular audits. Any elevation of privilege or exceptional access is logged, justified, and reviewed.Our infrastructure is hosted in secure, ISO 27001-certified data centres located within the UK or EEA. These facilities are physically secured with 24/7 monitoring, biometric access control, and redundant systems for power, cooling, and connectivity. Cloud environments are segmented to isolate sensitive workloads, and internal communications are encrypted across all service layers.Kwiklow employs active monitoring and intrusion detection to identify suspicious behaviour, brute-force attacks, account enumeration, or abnormal data access patterns. Automated alerting systems flag anomalies in real time, allowing our security team to investigate and respond immediately. In the event of a confirmed breach, we follow a strict incident response protocol, which includes isolating affected systems, assessing impact, notifying affected users, and reporting to the ICO within seventy-two hours as required under Article 33 of the UK GDPR.All application code is developed following secure development lifecycle practices. This includes peer-reviewed code, automated vulnerability scanning, dependency checks, and penetration testing by external security firms at least annually. Findings from any audit or test are tracked through resolution and closed only upon documented remediation.Mobile applications and APIs are hardened against common threats including injection attacks, cross-site scripting, man-in-the-middle attacks, and insecure direct object references. Rate limiting and behavioural throttling are applied to prevent denial of service attacks and abuse of service endpoints. Authentication tokens are signed, time-bound, and encrypted to ensure session integrity.User-level protections are also in place. Passwords are hashed using bcrypt with a high work factor and are never stored or transmitted in plaintext. We encourage strong password policies and offer multi-factor authentication (2FA) for enhanced security. Suspicious login activity, such as access from a new device or location, triggers warning messages and may result in session termination until verified.Kwiklow maintains a strict vendor management process to assess the security posture of all third-party processors. This includes security questionnaires, contractually binding data protection clauses, and review of certifications such as SOC 2, ISO 27001, and Cyber Essentials. No vendor is permitted to process data without evidence of ongoing compliance and incident response capability.We train all employees with access to personal data on secure handling procedures, phishing avoidance, and their responsibilities under the UK GDPR. Access to production environments is restricted to vetted personnel, and any breach of protocol results in disciplinary review.All backup data is encrypted, tested periodically for recoverability, and stored separately from production systems. Retention schedules for backups are defined based on data classification and business continuity requirements. Backups are not accessible to vendors or non-essential staff.Kwiklow conducts an annual security review and maintains an information security management system aligned with GDPR Article 32. This includes formal risk assessments, asset inventories, technical vulnerability reviews, and a roadmap of continuous improvement. Users may request a summary of our technical and organisational measures upon reasonable notice.8. ContactKwiklow Ltd takes all matters related to data protection and user privacy seriously. If you have questions, concerns, or requests regarding this privacy policy or your personal data, you may contact us directly. Our appointed Data Protection Officer (DPO) oversees compliance with the UK GDPR and is available to handle all enquiries relating to data access, rights, processing, or security incidents. You can contact the DPO by email at privacy@kwiklow.com or by post at Kwiklow Ltd, 20 Wenlock Road, London, N1 7GU, United Kingdom. Please include your full name, account email address, and a clear description of your request so we can verify your identity and respond efficiently. We typically respond within one calendar month, though more complex queries may require additional time in line with applicable regulations. For unresolved issues or if you believe we have failed to meet our legal obligations, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which can be contacted via ico.org.uk or by phone at 0303 123 1113. We encourage users to contact us first, as we are committed to resolving concerns directly, transparently, and promptly.