In this privacy notice references to “we”, or “Castle Water” (and connected words such as “us” or “our”) refer to the Castle Water Group (as defined below). We are the controller of personal data obtained via our website and the personal data collected and stored by us, meaning we are the organisation legally responsible for deciding how and for what purposes it is used in accordance with the UK General Data Protection Regulation and the Data Protection Act 2018 (the Data Protection Regulations).
Your personal data may be processed by any of the following parties:
(known together as the Castle Water Group)
This notice applies to the treatment of any information that could be used to identify an individual and which it provides to or is collected by the Castle Water Group, through direct interactions with you or the use of market information maintained by MOSL or the CMA.
We use the term “personal data” to describe the information we receive or collect about you.
The notice applies for users of Castle Water’s web platforms such as MyAccount and the Online Quotes Tool as well as customers who receive, or intend to receive, services from us.
The protection of personal data is very important to us, and we understand our responsibilities to handle personal data with care, to keep it secure and to comply with legal requirements.
This notice is not intended to override the terms of any contract that any customer may have with a Castle Water Group company (or any rights they might have available under applicable data protection laws).
We collect information about you when you visit our website, sign up for quotes, become our customer, are a prospective customer, or when you contact us.
The personal data we process for the provision of services includes, but is not limited to, the following:
In respect of our customers, we do not typically collect any special categories of personal data, such as details relating to health, in the general course of providing services to customers. However, we may store such data if it is essential, and we have an appropriate legal basis to do so.
We comply with the data minimisation principles as set out in the data protection regulations and will not collect any personal data that we do not need in order to provide the services and related matters
We must establish a lawful basis to use your personal data. We must only use personal data where we are satisfied that:
Before collecting and/or using any special categories of personal data we will establish an additional lawful basis to those set out above which will allow us to use that information. This additional exemption will typically be:
We use personal data to provide water and sewerage retail services to non-household customers in England and Scotland. We also provide supplementary services such as water and energy efficiency solutions.
We use and collect personal data to:
We may also process your personal data using artificial intelligence software to improve the efficiency, quality, and speed of providing services to you. Where processing takes place in this regard, we rely on the legitimate interest of improving the delivery of our services to you.
We may share personal data with third parties to help manage our business and deliver the water and/or wastewater retail services, other supplementary services relating to water and energy efficiency, as outlined below:
We will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We will also continue to exchange information about you with CRAs on an ongoing basis, including your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at Experian.
Please note that we only allow organisations to handle your personal data if we are satisfied that they take appropriate measures to protect your personal data. We may also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and you.
All the personal data we store, and use, is processed by our staff, and/or by selected third-party service providers, such as for the provision of IT services. As such it will be stored on our systems and in some cases at our premises, including those premises of our third-party service/data providers.
We may also store your personal data using cloud-based services.
We take all reasonable steps to ensure that personal data is processed securely. Where data is shared with third parties a data processing or data-sharing agreement will be agreed upon between us and the third party.
We will not share personal data outside the EEA unless
We rely on adequacy regulations for transfers to the following countries:
Any changes to the destinations to which we send personal data or in the transfer mechanisms we rely on to transfer personal data internationally will be notified to you in accordance with the section on ‘Changes to this privacy policy’ below.
If you would like further information about data transferred outside the UK, please contact our Data Protection Team at dpo@castlewater.co.uk.
We store and use your personal data for as long as you are a customer of the Castle Water Group.
We may keep your personal data for up to six years from the date (i) you stop being a customer of the Castle Water Group; or (ii) of last correspondence with you (whichever is later).
Where your personal data is no longer required, we will ensure it is securely deletion in a way that means that it will no longer be used by the business.
Individuals have several rights in relation to their personal data. These are defined in more detail below (please note that the following table is not an exhaustive list):
Access to a copy of your personal data | You can access to: · confirm whether we are processing your personal data; · give you a copy of the personal data we hold about you via a Subject Access Request; and
|
Rectification | You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it. |
Deletion | You can ask us to erase your personal data, but only where:
We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:
|
Restriction of Use | You can ask us to restrict (i.e. keep but not use) your personal data, but only where:
We can continue to use your personal data following a request for restriction, where:
|
Objection | You can object to any processing of your personal data which has our ‘legitimate interests’ as its legal basis if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling grounds to process it which override your rights, however, this does not apply as far as the objections refers to the use of personal data for direct marketing purposes. |
Further information on your rights under the Data Protection Regulations can be found on the Information Commissioner Office’s website.
Any requests for access, deletion, rectification, restriction or objection will be considered and evaluated by the data protection team. Such requests should be made to: dpo@castlewater.co.uk
We have appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine need to access it.
We continually test our systems and are ISO 27001 certified, which means we follow top industry standards for information security.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a data security breach where we are legally required to do so.
We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive, or excessive, in which case we will charge a reasonable amount in the circumstances.
We aim to respond to any valid requests as soon as possible after receipt and within one calendar month. If we need longer to respond to your request, we will notify you of this within a month of your request, explaining the reasons for the delay. We will not extend the timeframe for our response for any more than an additional two months. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
Local laws, including in the United Kingdom, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example, where it is subject to legal privilege.
You have a right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted by us for marketing purposes, please let us know by email dpo@castlewater.co.uk.
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
We keep our privacy notice under regular review and in accordance with current legislation and guidance. We will notify any changes to this notice by posting on our website. This privacy notice was last updated on 24 June 2025.
If there are any questions regarding this privacy policy, please contact our Data Protection Team at: dpo@castlewater.co.uk
Read further about your information rights from the Information Commissioner’s Office.