GDPR Compliance

Your European data protection rights

Last Updated: November 27, 2025

Back to Home

Table of Contents

1. Introduction

Clear Window is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR). This page explains how we comply with GDPR requirements and outlines your rights as a data subject within the European Economic Area (EEA).

We take data protection seriously and have implemented appropriate technical and organizational measures to ensure the security and confidentiality of your personal information.

2. Data Controller Information

Data Controller: Clear Window Ltd.

Data Protection Officer (DPO): dpo@clearwindow.com

Contact Email: support@clearwindow.com

3. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

Right to Access (Article 15)

You have the right to request access to your personal data. We will provide you with a copy of the personal data we hold about you, along with information about how it is being processed.

Right to Rectification (Article 16)

You have the right to request correction of any inaccurate or incomplete personal data we hold about you.

Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purposes it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing of your personal data in certain situations:

  • You contest the accuracy of the data
  • Processing is unlawful but you don't want the data erased
  • We no longer need the data but you need it for legal claims
  • You've objected to processing and verification is pending

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

Right to Withdraw Consent (Article 7)

Where we process your data based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@clearwindow.com or use our dedicated GDPR request form. We will respond to your request within one month of receipt.

4. Legal Basis for Data Processing

We process your personal data only when we have a valid legal basis under Article 6 of the GDPR:

Consent (Article 6(1)(a))

When you provide explicit consent for specific processing activities, such as:

  • Creating an account on our platform
  • Subscribing to marketing communications
  • Participating in surveys or feedback requests

Contractual Necessity (Article 6(1)(b))

Processing necessary to perform a contract with you or to take steps at your request before entering into a contract:

  • Verifying your identity for review submission
  • Processing and displaying your reviews
  • Providing customer support

Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal obligations, such as:

  • Responding to lawful requests from authorities
  • Preventing fraud and abuse
  • Maintaining records for tax and accounting purposes

Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate interests or those of a third party, except where overridden by your fundamental rights:

  • Improving our services and user experience
  • Detecting and preventing fraud
  • Network and information security
  • Internal administration and analytics

5. What Data We Collect

We collect and process the following categories of personal data:

Identity Data

  • Name (for verification purposes only, anonymized in reviews)
  • Email address
  • Username or display name (pseudonymized)

Verification Data

  • Proof of address documents (processed and immediately anonymized)
  • Tenancy or lease documentation (metadata only, full documents deleted after verification)
  • Verification status and timestamp

Review Data

  • Review content (anonymized)
  • Rating information
  • Property or service being reviewed (location data)
  • Review timestamp

Technical Data

  • IP address (hashed and anonymized after 48 hours)
  • Device information and browser type
  • Usage data and analytics (aggregated and anonymized)
  • Cookies and similar tracking technologies

Communication Data

  • Customer support inquiries
  • Email communications
  • Feedback and survey responses

6. How We Use Your Data

We use your personal data for the following purposes:

Service Provision

  • Creating and managing your account
  • Verifying your identity and connection to reviewed properties
  • Publishing anonymized reviews
  • Detecting and preventing fraud and abuse

Service Improvement

  • Analyzing platform usage and performance
  • Developing new features and functionality
  • Testing and improving our verification algorithms

Communication

  • Responding to your inquiries and support requests
  • Sending service-related notifications
  • Sending marketing communications (with your consent)

Legal and Security

  • Complying with legal obligations
  • Protecting against fraud and security threats
  • Enforcing our terms of service

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Account Data

Retained while your account is active and for 12 months after account closure, unless legal obligations require longer retention.

Verification Documents

Processed and immediately anonymized. Original documents are permanently deleted within 48 hours of verification completion.

Review Data

Anonymized reviews are retained indefinitely as they serve the public interest. Personal identifiers are removed immediately upon publication.

Technical Data

IP addresses are hashed and anonymized after 48 hours. Analytics data is aggregated and anonymized within 30 days.

Communication Data

Customer support records are retained for 3 years to improve service quality and resolve disputes.

Automated Deletion

We have implemented automated systems to ensure data is deleted according to these retention schedules. You can request early deletion of your data at any time by exercising your right to erasure.

8. Data Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

Technical Measures

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access controls with principle of least privilege
  • Authentication: Multi-factor authentication for all staff accounts
  • Monitoring: 24/7 security monitoring and intrusion detection
  • Regular Testing: Penetration testing and vulnerability assessments
  • Data Anonymization: Automated anonymization of personal identifiers

Organizational Measures

  • Regular staff training on data protection and security
  • Data protection impact assessments for high-risk processing
  • Incident response and breach notification procedures
  • Regular audits of data processing activities
  • Contracts with processors ensuring GDPR compliance

Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours (when required)
  • Notify affected individuals without undue delay if high risk to rights and freedoms
  • Document the breach and our response measures
  • Take steps to mitigate the effects of the breach

9. Data Sharing and Transfers

We Do Not Sell Your Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

Limited Sharing

We may share your personal data with:

  • Service Providers: Carefully vetted processors who assist with platform operations (hosting, analytics, email services) under strict data processing agreements
  • Legal Requirements: Authorities when required by law or to protect rights, property, or safety
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to you)

International Data Transfers

Your data is primarily processed within the EEA. When we transfer data outside the EEA, we ensure adequate protection through:

  • European Commission approved Standard Contractual Clauses (SCCs)
  • Adequacy decisions for specific countries
  • Appropriate safeguards such as Privacy Shield certification (where applicable)

Processor Compliance

All third-party processors we engage with are required to:

  • Process data only on our instructions
  • Implement appropriate security measures
  • Assist with GDPR compliance obligations
  • Delete or return data when no longer needed

10. Automated Decision-Making

We use automated processing and algorithms in the following ways:

Fraud Detection

Our anti-brigading systems use automated algorithms to detect suspicious patterns. However, we do not make final decisions solely based on automated processing. Human review is involved in all enforcement actions.

Review Weighting

Our smart weighting algorithm adjusts review visibility based on factors like verification level and review patterns. You have the right to:

  • Obtain information about the logic involved
  • Express your point of view
  • Contest the decision
  • Request human intervention

Verification Processing

Document verification uses automated tools to check authenticity, but human verification occurs for edge cases and disputes.

Your Rights Regarding Automated Decisions

You have the right to request human intervention, express your view, and contest any automated decision that significantly affects you. Contact us at privacy@clearwindow.com to exercise this right.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe we have not complied with GDPR requirements.

EU/EEA Data Protection Authorities

You can file a complaint with the supervisory authority in:

  • The EU member state of your habitual residence
  • Your place of work
  • The place of the alleged infringement

UK Information Commissioner's Office (ICO)

For UK residents:

Website: https://ico.org.uk

Phone: 0303 123 1113

Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Before Filing a Complaint

We encourage you to contact us first at dpo@clearwindow.com. We take all complaints seriously and will work to resolve your concerns promptly.

12. Contact Our Data Protection Officer

For any questions, concerns, or requests regarding your personal data or this GDPR compliance page, please contact our Data Protection Officer:

Data Protection Officer

Email: dpo@clearwindow.com

Response Time: We aim to respond to all GDPR-related inquiries within 5 business days and complete requests within 30 days.

Additional Resources

For more information about our data practices, please see: