Privacy Policy

In this privacy notice references to “we”, or “Castle Water” (and connected words such as “us” or “our”) refer to the Castle Water Group (as defined below). We are the controller of personal data obtained via our website and the personal data collected and stored by us, meaning we are the organisation legally responsible for deciding how and for what purposes it is used in accordance with the UK General Data Protection Regulation and the Data Protection Act 2018 (the Data Protection Regulations).

Who processes your personal data

Your personal data may be processed by any of the following parties:

  • A company within the Castle Water group of companies which as at the date of this notice includes
    • Castle Water Limited (company number SC475583)
    • Castle Water (Southern) Limited (company number 09933767)
    • Castle Water (South East) Limited (company number 03037009)
    • Castle Water (Scotland) Limited (company number SC448118)
    • Castle Water (Scotland) No.2 Limited (company number SC514287)
      •  

      (known together as the Castle Water Group)

  • Market Operator Services Limited, (company number 09276929) whose registered office is at White Building, 1-4 Cumberland Place, Southampton, England, SO15 2NP (“MOSL”). MOSL is owned by all the water companies, both wholesalers and retailers, who trade in the competitive market in England;
  • Central Market Agency Limited (company number SC328635) whose registered office is at 48 Enterprise House, Springkerse Business Park, Stirling, Scotland, FK7 7UF (“CMA”). The CMA is the organisation that administers the retail market for water and wastewater services in Scotland; and
  • Third Party data processors, these being other organisations that process data on behalf of the Castle Water group or any of the other parties, or with whom data is shared, as outlined in this privacy notice.

Scope of this Notice

This notice applies to the treatment of any information that could be used to identify an individual and which it provides to or is collected by the Castle Water Group, through direct interactions with you or the use of market information maintained by MOSL or the CMA.

We use the term “personal data” to describe the information we receive or collect about you.

The notice applies for users of Castle Water’s web platforms such as MyAccount and the Online Quotes Tool as well as customers who receive, or intend to receive, services from us.

The protection of personal data is very important to us, and we understand our responsibilities to handle personal data with care, to keep it secure and to comply with legal requirements.

This notice is not intended to override the terms of any contract that any customer may have with a Castle Water Group company (or any rights they might have available under applicable data protection laws).

What personal data do we collect?

We collect information about you when you visit our website, sign up for quotes, become our customer, are a prospective customer, or when you contact us.

The personal data we process for the provision of services includes, but is not limited to, the following:

  • account, contact and communication details: full name, email address, supply address, telephone number, account number, account details such as username and login details, job title, the organisation/business that a person works for, log-in details, records of any communications whether written or spoken; and
  • billing information: payment details (inclusive of any financial or other personal information you submit when using our websites online payment facility, provide over the telephone with us or when creating a direct debit), transaction details, billing addresses, information relating to outstanding balances and debt recovery action (including court proceedings), and information relating to credit ratings or credit scores; and
  • supply point details:  customer classifications including unique identifiers, metering information or consumption data. Please note that, in respect of customers based in England, the information we hold is described in more detail in the market data catalogue Code Subsidiary Document 0301; and
  • website data: consisting of the information that is gathered by the cookies in your web browsers. We may collect information about the way in which you use our services, and the internet protocol address (IP address) used to connect to the internet. For information relating to Cookies please see our Cookies policy.

 

In respect of our customers, we do not typically collect any special categories of personal data, such as details relating to health, in the general course of providing services to customers. However, we may store such data if it is essential, and we have an appropriate legal basis to do so.

We comply with the data minimisation principles as set out in the data protection regulations and will not collect any personal data that we do not need in order to provide the services and related matters

Legal basis for storing and collecting personal data

We must establish a lawful basis to use your personal data. We must only use personal data where we are satisfied that:

  • our use of personal data is necessary to perform a contract with that individual or take steps to enter into a contract with that individual; or
  • our use of personal data has been deemed appropriate following a legitimate interest assessment. Castle Water generally have a legitimate interest in storing personal data of its customers as we are responsible for the provision of water and sewerage retail services to non-household customers, and the general operation of the non-household market, in England and Scotland under the relevant Market Codes and our licences; or
  • our use of personal data is necessary to comply with relevant legal and/or regulatory obligations, such as compliance with standards set by The Water Regulation Authority; Water Industry Commission for Scotland; the Department for Environment, Food & Rural Affairs; and the Information Commissioners Office; or
  • whilst we will not usually rely on consent as a lawful basis, where we do rely on consent, you may withdraw their consent to such processing at any time. We will also make you aware that if you choose to do so, we may be unable to continue to provide certain services to you. If you choose to withdraw your consent, we will tell you more about the possible consequences. The withdrawal of their consent in this circumstance shall not affect the lawfulness of the processing based on consent before the withdrawal. Withdrawal of consent will not necessarily result in processing being stopped where consent was not the lawful basis for the processing.

 

Before collecting and/or using any special categories of personal data we will establish an additional lawful basis to those set out above which will allow us to use that information. This additional exemption will typically be:

  • for the establishment, exercise or defence by us or third parties of legal claims; or
  • where there is a specific exemption provided under Data Protection Regulations, such as substantial public interest.

 

Why do we use your personal data?

We use personal data to provide water and sewerage retail services to non-household customers in England and Scotland. We also provide supplementary services such as water and energy efficiency solutions.

How do we use your personal data?

We use and collect personal data to:

  • provide water and wastewater retail invoicing and meter reading services;
  • meet our legal and regulatory obligations;
  • make decisions on how best to provide the services to you, understand your needs and how they may be;
  • provide you with customer services and manage our business relationship with you;
  • maintain our records;
  • to collect and recovery money that is owed to us;
  • verify your identity (as required);
  • contact you by post, email or telephone, including automated voicemail and SMS;
  • prevent, investigate, detect and report crime, fraud or corruption; and
  • carry out analytics across our datasets.

 

We may also process your personal data using artificial intelligence software to improve the efficiency, quality, and speed of providing services to you. Where processing takes place in this regard, we rely on the legitimate interest of improving the delivery of our services to you.

Who is your personal data shared with?

We may share personal data with third parties to help manage our business and deliver the water and/or wastewater retail services, other supplementary services relating to water and energy efficiency, as outlined below:

  • local authorities and government bodies, including but not limited to HM Revenue and Customs, regulators and other tax authorities, law enforcement and fraud prevention agencies within the United Kingdom;
  • other water and wastewater retailers and wholesalers;
  • regulators such as WICS and Ofwat;
  • market operators such as MOSL and the CMA;
  • ombudsman such as the Scottish Public Services Ombudsman (for customers based in Scotland) or the Consumer Council for Water (for customers based in England);
  • service providers, suppliers, sub-contractors and advisors who help manage our IT and back-office systems;
  • debt collection agencies who assist in the recovery of monies that are owed to us;
  • credit reference agencies (such as Experian, as detailed below);
  • service providers who enable us to communicate important information regarding the services across the non-household water retail market;
  • solicitors and other professional services firms (including our auditors);
  • if you set up a direct debit with us, we will share your data with the Direct Debit Scheme;
  • third parties, such as brokers, for the purposes of their provision of services to customers;
  • third-party data processors, such as consultancies, technology companies, and other data providers who can provide analytics and data enrichment across our datasets; and
  • joint account holders on your customer account, or someone who is linked with you or your business.

 

We will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We will also continue to exchange information about you with CRAs on an ongoing basis, including your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at Experian.

Please note that we only allow organisations to handle your personal data if we are satisfied that they take appropriate measures to protect your personal data. We may also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and you.

Where is your personal data stored?

All the personal data we store, and use, is processed by our staff, and/or by selected third-party service providers, such as for the provision of IT services. As such it will be stored on our systems and in some cases at our premises, including those premises of our third-party service/data providers.

We may also store your personal data using cloud-based services.

We take all reasonable steps to ensure that personal data is processed securely. Where data is shared with third parties a data processing or data-sharing agreement will be agreed upon between us and the third party.

We will not share personal data outside the EEA unless

  • it is a transfer to a country or organisation which is recognised by data protection legislation as providing an adequate level of legal protection for your information, or
  • we have put in place appropriate contractual arrangements with the organisation with whom we are sharing your information on terms recognised under data protection legislation as offering an adequate level of protection for your information.

 

We rely on adequacy regulations for transfers to the following countries:

  • Norway
  • Portugal
  • Argentina

 

Any changes to the destinations to which we send personal data or in the transfer mechanisms we rely on to transfer personal data internationally will be notified to you in accordance with the section on ‘Changes to this privacy policy’ below.

If you would like further information about data transferred outside the UK, please contact our Data Protection Team at dpo@castlewater.co.uk.

How long do we keep it?

We store and use your personal data for as long as you are a customer of the Castle Water Group.

We may keep your personal data for up to six years from the date (i) you stop being a customer of the Castle Water Group; or (ii) of last correspondence with you (whichever is later).

Where your personal data is no longer required, we will ensure it is securely deletion in a way that means that it will no longer be used by the business.

Your rights explained

Individuals have several rights in relation to their personal data. These are defined in more detail below (please note that the following table is not an exhaustive list):

Access to a copy of your personal data

You can access to:

·        confirm whether we are processing your personal data;

·        give you a copy of the personal data we hold about you via a Subject Access Request; and

  • provide you with other information about your personal data such as what data we hold, the purposes for which we use it, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out automated decision making or profiling, to the extent that information has not already been provided to you in this notice
RectificationYou can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.
Deletion

You can ask us to erase your personal data, but only where:

  • it is no longer needed for the purposes for which it was collected; or
  • you have withdrawn your consent (where the data processing was based on consent); or
  • it follows a successful right to object; or
  • it has been processed unlawfully; or
  • it is not necessary to comply with a legal obligation to which we are subject to.

We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:

  • for compliance with a legal obligation; or
  • for the establishment, exercise, or defence of legal claims.
Restriction of Use

You can ask us to restrict (i.e. keep but not use) your personal data, but only where:

  • its accuracy is contested, to allow us to verify its accuracy; or
  • the processing is unlawful, but you do not want it erased; or
  • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
  • you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal data following a request for restriction, where:

  • we have your consent; or
  • establish, exercise or defend legal claims; or
  • to protect the rights of another natural or legal person.
ObjectionYou can object to any processing of your personal data which has our ‘legitimate interests’ as its legal basis if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling grounds to process it which override your rights, however, this does not apply as far as the objections refers to the use of personal data for direct marketing purposes.

 

Further information on your rights under the Data Protection Regulations can be found on the Information Commissioner Office’s website.

Any requests for access, deletion, rectification, restriction or objection will be considered and evaluated by the data protection team. Such requests should be made to: dpo@castlewater.co.uk

 

Keeping your personal data secure

We have appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine need to access it.

We continually test our systems and are ISO 27001 certified, which means we follow top industry standards for information security.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a data security breach where we are legally required to do so.

Fees

We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive, or excessive, in which case we will charge a reasonable amount in the circumstances.

Timescales

We aim to respond to any valid requests as soon as possible after receipt and within one calendar month. If we need longer to respond to your request, we will notify you of this within a month of your request, explaining the reasons for the delay. We will not extend the timeframe for our response for any more than an additional two months. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.

Exemptions

Local laws, including in the United Kingdom, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example, where it is subject to legal privilege.

You have a right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted by us for marketing purposes, please let us know by email dpo@castlewater.co.uk.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review and in accordance with current legislation and guidance. We will notify any changes to this notice by posting on our website. This privacy notice was last updated on 24 June 2025.

Contacting us

If there are any questions regarding this privacy policy, please contact our Data Protection Team at: dpo@castlewater.co.uk 

Read further about your information rights from the Information Commissioner’s Office.