Summary: Asbestos Connect collects only the information necessary to connect asbestos removal employers with qualified operatives. We encrypt sensitive data, never sell your information, and comply with UK GDPR.
1. Who We Are
Asbestos Connect ("we", "us", "our") operates the Asbestos Connect mobile application and website at asbestosconnect.co.uk. We provide a platform connecting asbestos removal employers with qualified operatives across the United Kingdom.
For data protection enquiries, contact us at: admin@asbestosconnect.co.uk
2. Information We Collect
Account Information
- Full name
- Email address
- UK mobile phone number
- Date of birth (operatives only — to verify you are 18 or over as required by law)
- Account type (employer or operative)
- Password (stored securely using bcrypt hashing)
Employer Information
- Company name (auto-filled and verified via Companies House)
- Companies House registration number (used to verify the company is active and legitimately registered in the UK)
- Job listings including site addresses, day rates, and site supervisor details
Company Verification: When registering as an employer, your Companies House registration number is checked in real time against the official Companies House public register. Only companies with an active status are permitted to register. Your verified company name is recorded and cannot be manually altered.
Operative Profile Information
- Training certificates, face-fit certificates, and medical certificates (uploaded documents)
- Document expiry dates
- Timesheet records including daily work hours and RPE (Respiratory Protective Equipment) exposure data
- Work history entries (employer name, job role, dates, location, and optional notes) added voluntarily by the operative
Ratings and Reviews
- Employers may submit a star rating (1–5) and an optional written review for operatives they have accepted on a job
- Ratings are linked to the specific employer, operative, and job — one rating per employer per job
- An operative's average rating is visible to employers when reviewing applicants
- Ratings may be updated or deleted by the employer who submitted them
Employee Induction Form Data
- Full legal name, date of birth
- National Insurance number
- UTR (Unique Taxpayer Reference) number
- Bank details (sort code and account number)
- Medical conditions
- Emergency contact information
Encryption: Sensitive induction form data (NI number, UTR, bank details, and medical conditions) is encrypted using Fernet symmetric encryption and stored in encrypted form. This data is only decrypted when viewed by an authorised employer through an existing application relationship.
Access restriction: Financial information — including bank details, National Insurance number, and UTR — is never visible to platform administrators, other operatives, or any third party. It is accessible only to the specific employer you have an active working relationship with on the platform. Even our own admin accounts cannot view this information.
Payment Information
- Payment processing is handled by Stripe. We do not store your full card details on our servers.
- We store a card fingerprint (a unique identifier generated by Stripe) for fraud prevention purposes only.
Usage Data
- IP address (for login rate limiting and security)
- Messages sent between employers and operatives
3. How We Use Your Information
We use your information for the following purposes:
- Platform operation: To create and manage your account, facilitate job postings and applications, and enable communication between employers and operatives
- Company verification: To confirm that employer accounts are associated with a legitimately registered and active UK company via Companies House
- Age verification: To confirm that operative users are aged 18 or over before granting access to the platform
- Document management: To store and track your professional certificates and their expiry dates
- Timesheet tracking: To record daily work activities and RPE exposure for health and safety compliance
- Work history: To allow operatives to present their employment background to prospective employers within the platform
- Ratings and reviews: To enable employers to provide feedback on operatives and help other employers make informed hiring decisions
- Payment processing: To manage employer subscription plans (monthly, quarterly, semi-annual, and annual billing), pay-per-post job fees, and individual job posting charges through Stripe
- Security: To prevent unauthorised access, brute-force attacks, and fraudulent trial abuse
- Communications: To send password reset emails, job alert notifications, and payment failure warnings via email
4. Legal Basis for Processing
We process your personal data under the following legal bases as defined by UK GDPR:
- Contract: Processing necessary to provide our services to you (account management, job matching, payments)
- Legitimate interest: Fraud prevention, platform security, trial abuse prevention, company verification, and age verification
- Legal obligation: Health and safety record keeping (RPE exposure tracking)
- Consent: Job alert email notifications (you can unsubscribe at any time)
5. Trial Abuse Prevention
To prevent abuse of our free trial offers, we implement the following measures:
- Each UK mobile phone number may only be registered to one account
- Payment card details are required during trial registration
- When an account is deleted, we retain one-way hashed identifiers (email hash, phone hash, card fingerprint hash) in a trial history record
GDPR Compliance: Only irreversible one-way hashes are stored — not your actual email, phone number, or card details. These hashes cannot be reversed to reveal your personal information. This processing is justified under our legitimate interest in fraud prevention.
6. Data Sharing
We do not sell your personal data. We share information only with:
- Stripe: Payment processing (governed by Stripe's Privacy Policy)
- SendGrid: Email delivery for password resets, job alerts, and payment notifications (governed by Twilio's Privacy Policy)
- Companies House: Employer registration numbers are checked against the Companies House public API to verify company status. No personal data is transmitted — only the company registration number you provide.
- Employers/Operatives: Relevant profile information is shared between parties when an application relationship exists (e.g., employers can view operative documents, induction forms, work history, and ratings for accepted applicants only)
7. Data Security
We take the security of your data seriously:
- All connections use HTTPS encryption in transit
- Passwords are hashed using bcrypt (never stored in plain text)
- Sensitive personal data is encrypted at rest using Fernet encryption
- Login rate limiting prevents brute-force attacks (maximum 5 failed attempts per 15 minutes)
- Session cookies use Secure and SameSite attributes
- Database connections use connection pooling with secure credentials
8. Data Retention
- Active accounts: Data is retained for as long as your account is active
- Deleted accounts: Personal data is deleted upon account deletion, except for hashed trial abuse prevention records (which cannot identify you)
- Timesheets, documents, work history, and ratings: Retained while your account is active; deleted when you delete your account
- Messages: Deleted when either party's account is deleted
9. Your Rights (UK GDPR)
You have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate data
- Right to erasure: Request deletion of your account and personal data
- Right to restrict processing: Request limitation of how we use your data
- Right to data portability: Request your data in a machine-readable format
- Right to object: Object to processing based on legitimate interests
To exercise any of these rights, contact us at admin@asbestosconnect.co.uk. We will respond within 30 days.
10. Children's Privacy
Asbestos Connect is designed for professional use by adults aged 18 and over. Operative users must confirm their date of birth at registration — anyone under 18 is not permitted to register. We do not knowingly collect data from children under 18. If we become aware that a child under 18 has provided us with personal data, we will delete it immediately.
11. Cookies and Local Storage
We use the following types of cookies:
- Essential cookies: Required for authentication and keeping you logged in. These cannot be disabled.
- Service worker cache: For offline functionality and faster loading (PWA feature).
- Analytics cookies (with consent): We use Google Analytics to understand how visitors use the platform. These are only set if you accept cookies. You can withdraw consent at any time by clearing your browser cookies.
For full details, see our Cookies Policy.
12. Platform Disclaimer
Asbestos Connect operates as an online platform that facilitates introductions between independent asbestos operatives and licensed asbestos removal contractors.
Asbestos Connect does not employ, supply, supervise, or control any operatives and does not act as an employment business or labour provider.
Any engagement, contract, or working arrangement entered into between a contractor and an operative is solely between those parties. Asbestos Connect is not a party to any such agreement and accepts no responsibility for the performance, conduct, competence, or actions of any operative or contractor using the platform.
Contractors are responsible for verifying that all operatives hold the necessary qualifications, training, medical certification, and licences required for the work being undertaken.
Operatives are responsible for ensuring that they comply with all relevant health and safety legislation, training requirements, and industry regulations.
Asbestos Connect accepts no liability for any loss, damage, injury, or incident arising from work carried out by users of the platform.
13. GDPR Training & Certification
The data controller responsible for Asbestos Connect has completed certified GDPR training to ensure your personal data is handled lawfully, fairly, and transparently in accordance with UK GDPR requirements.
GDPR
General Data Protection Regulation (GDPR) — Certified
Completed: 20th March 2026 | Certificate No. 326575
Issued by Highfield e-learning | Verify at: lms.elearningatwork.co.uk/check
14. Changes to This Policy
We may update this privacy policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically.
15. Contact Us
If you have questions about this privacy policy or our data practices, please contact us:
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.