Legal
Privacy Policy and Data Processing Agreement
Last updated: 1 June 2026 · Effective: 1 June 2026
Part A: Privacy Policy
1. About this policy and who we are
1.1 This policy explains how Barclo handles personal data through the web application at app.barclo.co.uk, the Barclo mobile application, and the website at barclo.co.uk (together, “Barclo” or “the Service”).
1.2 Barclo is operated by Yellowhite LTD, a company registered in England and Wales under company number 15526944, with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom (“we”, “us”, “our”).
1.3 We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Our two roles: controller and processor
Barclo handles personal data in two different roles, and which one applies changes who is responsible for what.
2.1 We are the controller for personal data about the businesses that subscribe to Barclo and the people who run them: account details, billing information, website visitors, and our own use of usage data to run and improve the Service. Part A of this policy covers that data.
2.2 We are the processor for the personal data that a subscribing business puts into Barclo about its own clients and their pets. In that relationship the business is the controller and decides why and how that data is used; we only process it on the business's instructions to provide the Service. Part B of this document sets out the terms of that arrangement.
2.3 If you are a pet owner whose details are held in Barclo by a pet-care business, that business is the controller of your data. To exercise your rights, or to ask how your data is used, contact the business directly. We will help that business respond, but we cannot make decisions about your data ourselves.
3. The personal data we collect, and why
As controller, we collect and use the following.
Account and profile data. Your name, business name, email address, phone number, role, and login credentials (passwords are stored only in hashed form). We use this to create and run your account, authenticate you, and provide the Service. Lawful basis: performance of our contract with you.
Billing data. Subscription status, plan, and billing records. Your payment card details are collected and processed directly by our payment processor, Stripe, and are not stored by us. We use billing data to take payment for your subscription and keep accounting records. Lawful basis: performance of our contract, and our legal obligation to keep financial records.
Usage and technical data. IP address, device and browser information, log data, and information about how you use the Service. We use this to operate, secure, troubleshoot and improve the Service, and to prevent fraud and abuse. Lawful basis: our legitimate interests in running a secure and functioning service.
Support data. The content of messages you send us when you ask for help. We use this to respond to you and improve our support. Lawful basis: our legitimate interests, and performance of our contract.
Marketing data. Where you have opted in, or where you are an existing customer and have not opted out, your contact details for sending you information about Barclo. You can opt out at any time using the unsubscribe link or by contacting us. Lawful basis: consent, or our legitimate interests in marketing to existing customers.
4. Client and pet data
When you use Barclo to manage your business, you enter personal data about your clients (for example names, contact details, addresses and notes) and information about their pets. We process this only as your processor, on your instructions, to provide the Service. We do not use it for our own purposes. Part B governs this processing. You, as the controller, are responsible for having a lawful basis and for giving your clients the privacy information they are entitled to.
5. Automated decision-making
Barclo automates tasks such as reminders, recurring bookings, invoices and reports. These help you run your business but do not make decisions that produce legal or similarly significant effects about any individual within the meaning of Article 22 of the UK GDPR. We do not carry out that kind of solely automated decision-making.
6. Who we share personal data with
We do not sell personal data. We share it only with the service providers that help us run Barclo, and where we are legally required to.
| Provider | What they do | Where |
|---|---|---|
| Stripe | Processes subscription and client payments | UK and EU, with transfers to the United States |
| Brevo (Sendinblue) | Sends transactional and notification emails | European Union (France) |
| Yellowhite | Hosts the Service and stores data | UK |
| Google Analytics | Website and product analytics | Global |
We may also disclose personal data if required by law, to enforce our terms, to protect the rights, safety or property of anyone, or as part of a sale or reorganisation of our business.
7. International transfers
7.1 Where personal data is transferred outside the UK, we make sure it is protected by an approved safeguard.
7.2 Transfers to Stripe in the United States are protected by the UK Extension to the EU-US Data Privacy Framework where Stripe is certified, and otherwise by the International Data Transfer Agreement (IDTA) or UK Addendum.
7.3 Brevo processes data within the European Union, which the UK recognises as providing an adequate level of protection.
8. How long we keep personal data
8.1 We keep account and profile data for as long as your account is active, and for 3 months after it closes, after which we delete or anonymise it, unless we need to keep it longer.
8.2 We keep billing and accounting records for 6 years to meet our legal obligations.
8.3 We keep usage and log data for 3 months.
8.4 Client and pet data is kept and deleted as set out in Part B and on the instructions of the controlling business.
9. How we keep personal data secure
We use appropriate technical and organisational measures to protect personal data, including encryption of data in transit, access controls and role-based permissions, separation of each business's data, restricted administrative access, and regular backups. No system can be guaranteed to be completely secure, but we work to protect your data and to deal quickly with any issue. Our security measures are described further in Annex 2.
10. Your rights
10.1 Under UK data protection law you have the right to: be informed about how your data is used; access your data; have inaccurate data corrected; have your data erased in certain circumstances; restrict or object to processing; data portability; and, where we rely on consent, to withdraw it at any time.
10.2 To exercise any of these rights over data we control, contact us using the details in section 13. We will respond within one month.
10.3 If your data is held in Barclo by a pet-care business, that business is the controller. Send your request to that business. We will assist them in responding.
10.4 You have the right to complain to the ICO at ico.org.uk or on 0303 123 1113. We would appreciate the chance to address your concern first.
11. Cookies
The Service uses cookies and similar technologies. Strictly necessary cookies (for example to keep you logged in) are used without consent because the Service cannot work without them. Any non-essential cookies, such as analytics, are used only with your consent.
12. Children
Barclo is a tool for businesses and is not directed at children. We do not knowingly collect personal data from children.
13. Contact and changes
13.1 For any privacy question or to exercise your rights, contact:
Barclo, a trading name of Yellowhite LTD
71-75 Shelton Street
Covent Garden
London, WC2H 9JQ
United Kingdom
Email: [email protected]
13.2 We may update this policy. If we make a material change we will give reasonable notice, for example by email or a notice in the app, before it takes effect.
Part B: Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the agreement between us and a business that subscribes to Barclo (the “Customer”). It applies where we process personal data on the Customer's behalf. In this Part, “you” and “your” mean the Customer.
1. Roles and scope
1.1 For personal data about your clients and their pets that is processed through Barclo, you are the controller and we are your processor.
1.2 This DPA, together with our Terms of Service and your configuration and use of the Service, sets out your documented instructions to us. We will process the personal data only to provide and support the Service, and as set out in this DPA, unless the law requires otherwise, in which case we will tell you first unless the law prevents us.
1.3 The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are set out in Annex 1.
1.4 If we believe an instruction from you breaches data protection law, we will tell you.
2. Our obligations as processor
We will:
2.1 Process only on your documented instructions, as described in clause 1.2, including for any transfer of personal data outside the UK.
2.2 Confidentiality. Ensure that the people we authorise to process the personal data are bound by a duty of confidentiality.
2.3 Security. Take appropriate technical and organisational measures to protect the personal data, as required by Article 32 of the UK GDPR. Our current measures are set out in Annex 2.
2.4 Sub-processors. Only engage another processor (a “sub-processor”) under your authorisation, as set out in clause 3.
2.5 Assist with individuals' rights. Taking into account the nature of the processing, help you by appropriate technical and organisational measures, so far as possible, to respond to requests from individuals exercising their rights. Where a client contacts us directly about data we hold for you, we will refer them to you.
2.6 Assist with your wider obligations. Taking into account the nature of processing and the information available to us, help you meet your obligations around security of processing, notifying personal data breaches, communicating breaches to individuals, and data protection impact assessments and prior consultation (Articles 32 to 36).
2.7 Breach notification. Notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide the information you reasonably need to meet your own breach-reporting obligations.
2.8 Deletion or return. At the end of the provision of the Service, delete or return all the personal data to you at your choice, and delete existing copies unless the law requires us to keep them. You will be able to export your data for 30 days after termination, after which we may delete it.
2.9 Audits and information. Make available to you the information reasonably necessary to demonstrate compliance with Article 28, and allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint. Audits may be subject to reasonable notice, frequency, confidentiality and cost conditions, and must not unreasonably disrupt our business. We may satisfy this by providing relevant certifications or third-party reports where available.
2.10 Nothing in this DPA relieves us of our own direct responsibilities and liabilities as a processor under the UK GDPR.
3. Sub-processors
3.1 You give us general written authorisation to engage the sub-processors listed in Annex 3.
3.2 If we intend to add or replace a sub-processor, we will give you at least 14 days notice, for example by email or a notice in the app, so you have the chance to object on reasonable data protection grounds. If you object, we will work with you in good faith to find a resolution. If we cannot, you may terminate the affected part of the Service.
3.3 We will put a contract in place with each sub-processor imposing the same data protection obligations as in this DPA, and we remain liable to you for a sub-processor's performance of those obligations.
4. Your obligations as controller
You confirm that:
4.1 You have a lawful basis to collect and process the personal data you put into Barclo, and to instruct us to process it.
4.2 You have given your clients the privacy information required by the UK GDPR, including that their data is processed using Barclo, and have obtained any consents needed.
4.3 Your instructions to us are lawful, and the data you provide does not infringe anyone's rights.
5. International transfers
We will not transfer your data outside the UK except as needed to provide the Service through the sub-processors in Annex 3, and where an approved transfer safeguard is in place, as described in section 7 of Part A.
6. General
6.1 This DPA is part of the Terms of Service. If there is a conflict between this DPA and the rest of the Terms about the processing of personal data, this DPA prevails.
6.2 This DPA is governed by the law of England and Wales.
Annex 1: Details of processing
Subject matter: provision of the Barclo pet-care business management service.
Duration: for as long as the Customer's subscription is active, plus any export and deletion period afterwards.
Nature and purpose: hosting, storing, organising, displaying and transmitting personal data so the Customer can manage clients, pets, bookings, scheduling, communications, invoicing and payment requests.
Types of personal data: client names, contact details (email, phone, address), notes and messages, booking and scheduling records, invoice and payment records, and information about pets that may be linked to an identifiable owner. The data is ordinary personal data. The Customer must not use free-text fields to record special category data unless it has a lawful basis to do so.
Categories of data subjects: the Customer's clients (pet owners), and any other individuals the Customer chooses to record, such as emergency contacts.
Annex 2: Security measures
Our current technical and organisational measures include:
- encryption of data in transit using TLS;
- access controls and role-based permissions, so users only see what their role allows;
- separation of each business's data so one business cannot access another's;
- restricted and logged administrative access on a least-privilege basis;
- secure password storage using hashing;
- regular backups and a documented restore process;
- hosting on a managed, access-controlled server environment; and
- monitoring and logging to detect and respond to issues.
Annex 3: Authorised sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing for subscriptions and client payments | UK and EU, with transfers to the United States under the UK Extension to the Data Privacy Framework or the IDTA |
| Brevo (Sendinblue) | Sending transactional and notification emails | European Union (France) |
| Yellowhite | Hosting and data storage | UK |
| Google Analytics | Checking usage data | International |