Privacy Policy
Last updated: 9 June 2026
This policy explains what personal data BlueWave collects, why, what we do with it, and the rights you have over it. We've written it in plain English on purpose — if anything here is unclear, that's a defect, and we'd like to hear about it.
Who we are
BlueWave is field-service software for UK water-hygiene companies: scheduling, field data capture, compliance records and billing in one platform.
BlueWave Ltd [pending] · Registered in England & Wales · Company No. [pending] · Registered office: [pending]. Our ICO registration number is [pending].
For anything about your personal data, contact privacy@usebluewave.com [pending mailbox]. We have not appointed a Data Protection Officer — at our size and with the data we process, UK GDPR doesn't require one — but that address reaches the people responsible for data protection decisions.
⚠ For review: Company details and ICO registration number are placeholders pending real values. Solicitor to confirm the no-DPO position (Art 37) and whether an EU/EEA representative (Art 27 EU GDPR) is needed for EU visitors — we are UK-established and have not appointed one.
The two hats we wear
This matters more than anything else on this page, so it goes first.
For this website and our own business records, we are the controller. Visitor data, demo requests, contact-form messages, and the account details of people who sign in — we decide why and how that data is used, and this policy governs it.
For the operational data our customers put into the platform, we are a processor. Job records, site and asset registers, engineers' field reports, photos, signatures, sampling results — that data belongs to the water-hygiene company that uploaded it. They are the controller; we process it on their documented instructions under our data processing agreement, and their privacy policy (not this one) governs what they collect from their own staff and clients. If you're an engineer using BlueWave because your employer asked you to, your employer is the controller of your field data.
The data we collect
- Site visitors. Our hosting infrastructure keeps short-lived server logs (IP address, user agent, requested pages) for security and reliability. Our site analytics is cookieless and aggregate — it doesn't identify you. [pending Q8 — provider to be named once confirmed]
- People who book a demo or contact us. Your name, email address, company name if you give one, and your message — all straight from the form you filled in.
- Account users. Name, work email, role, and sign-in activity. If a colleague invited you, your name and email came from your employer rather than from you — that's the only data we routinely receive about you from someone else.
- Engineers' field data. Collected through the app as part of the service — job records, photos, locations, signatures. We hold it as a processor, on your employer's instructions (see the two hats above).
You don't have to give us anything. But without contact details we can't answer an enquiry, and without basic account details your employer can't give you access to the platform — account data is needed to perform our contract with your company. We don't seek special-category data and ask that you don't put any in a contact-form message.
Why we use it, and our lawful bases
| Purpose | Data | Lawful basis (UK GDPR Art 6) |
|---|---|---|
| Answering enquiries and demo requests | Name, email, company, your message | Legitimate interests — responding to people who contact us about the product |
| Providing and administering accounts | Name, work email, role, sign-in activity | Contract |
| Service emails — invites, password resets, confirmations | Email address | Contract |
| Security, fraud and abuse prevention | Server logs, audit trails | Legitimate interests — keeping the service and our tenants' data safe |
| Understanding how the site is used | Aggregate, cookieless analytics [pending Q8] | Legitimate interests — improving content without identifying anyone |
| Meeting legal obligations | Whatever the obligation requires | Legal obligation |
We don't send marketing emails today. If that ever changes, we'll ask for consent first, and you'll be able to withdraw it as easily as you gave it.
⚠ For review: Proposed positions: legitimate interests for enquiry handling (rather than Art 6(1)(b) pre-contract steps) and for cookieless analytics. DPO to confirm the named interests and whether a legitimate-interests assessment is recorded for each.
Who we share it with
We never sell personal data. We share it with a short list of service providers who help us run BlueWave, under contracts that bind them to protect it:
- Cloud hosting and infrastructure
- Transactional email delivery
- Address lookup and geocoding (addresses only, no names)
- Professional advisers, where we genuinely need advice
- Authorities or regulators, where the law requires it — and only what it requires
We're finalising a published list naming each sub-processor, what it does, where it processes data and on what safeguard. Once live, it will be linked from here and from our data processing agreement.
⚠ For review: Sub-processor list pending confirmation (candidates: Google Cloud Platform, Resend, HERE, self-hosted FusionAuth, analytics provider). The named-list page ships as US-MKT-016; this section gains the link then.
International transfers
We aim to keep personal data in the UK and EEA. Where a provider processes data outside countries covered by UK adequacy regulations, we'll rely on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, with a transfer risk assessment completed first.
⚠ For review: Which sub-processors actually make restricted transfers is unconfirmed (it follows the sub-processor list). DPO to complete transfer risk assessments before this section claims IDTA/Addendum reliance for any named provider.
How long we keep things
| Data | Kept for |
|---|---|
| Demo requests and enquiries | 12 months after our last exchange |
| Account data | Life of the account, then deleted within 30 days of closure |
| Server and security logs | 30 days |
| Customer operational data (we're the processor) | Per your company's instructions and contract — returned or deleted when the contract ends. Water-hygiene businesses typically instruct long retention because their own compliance rules (such as LCA guidance) expect records kept for five years. |
⚠ For review: All retention periods above are proposed defaults, not yet business-confirmed. DPO to ratify or adjust each.
Your rights
Under UK GDPR you can ask us to:
- Access the personal data we hold about you, with a copy
- Rectify anything inaccurate or incomplete
- Erase your data, where there's no good reason for us to keep it
- Restrict what we do with it while a dispute is resolved
- Port data you gave us to another provider, in a usable format
- Object to processing based on legitimate interests
Where we rely on consent, you can withdraw it at any time without affecting what happened before. Email privacy@usebluewave.com [pending mailbox] to exercise any of these — we'll respond within one month. If your data sits in a customer's tenant (the processor hat), we'll pass your request to your employer, because the decision is legally theirs.
Complaints
If you think we've handled your data badly, tell us first — we'd rather fix it than have you escalate it. You also have the right to complain to the UK's supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
0303 123 1113 · ico.org.uk
Cookies and analytics
We don't use tracking cookies. The only things this site stores in your browser are strictly necessary: your theme preference, your sign-in session if you have an account, and a flag remembering that you dismissed our cookie notice. Our analytics is cookieless — it counts pageviews in aggregate without identifying you. [pending Q8 — provider and storage confirmation] The full storage-by-storage detail lives in our cookie policy.
Security
Data is encrypted in transit, access is role-based and least-privilege, and every tenant's data is isolated from every other tenant's by design. The fuller picture lives on our security page. We claim no certifications we don't hold.
Children
BlueWave is a business tool for water-hygiene companies. It isn't directed at children and we don't knowingly collect children's data.
Automated decision-making
We don't make automated decisions about you that have legal or similarly significant effects. No profiling, no scoring.
Changes to this policy
When this policy changes, we'll update it here and change the date at the top. If a change materially affects account holders, we'll email them before it takes effect.