Pool service businesses collect more sensitive customer data than they realize: home address, gate codes, alarm passcodes, dog names, time-of-day they're typically home, payment information. A breach can be both a regulatory and reputational catastrophe.
Minimum-data principle. Collect only what you need. You do not need a customer's social security number or driver's license number. You don't need their birthdate unless you're sending a card. The less you store, the smaller your breach risk.
Where data lives. Your routing software, your billing software, your accounting software, the personal phones of every tech, the printed manifest in the truck cab. Each is a potential leak.
Tech access. Techs need addresses, gate codes, dog notes, schedule. They do NOT need full payment history, account balances, or customer phone numbers in their personal phone contacts (call from the company app instead). Limit what each role sees.
Payment data. Never store raw card numbers or full bank account numbers. Use a PCI-compliant processor (Stripe, Square, your routing software's built-in module). If a customer gives you their card number on the phone, enter it into the processor immediately and shred any paper.
Breach response. If you suspect a breach (lost phone, hacked email, stolen laptop with customer data), most states require customer notification within a defined window (often 30–60 days). Act quickly: change passwords, notify processor, consult an attorney about state-by-state notification rules.
Vendor due diligence. Your software vendors are your data processors. Read their security and breach-notification policies. Reputable vendors publish these; sketchy vendors don't.
State laws are tightening. CA (CCPA/CPRA), VA, CO, CT, UT, and others now have consumer privacy laws with real enforcement. They generally don't require small operators to do much, but the trend is toward more regulation, not less. Stay informed.