Privacy Policy

TradeBooked ("TradeBooked", "we", "us", "our") is a UK-based software platform for tradespeople. We are committed to protecting personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Questions about this policy can be sent to compliance@tradebooked.co.uk. This Privacy Policy explains how we collect, use, share, and protect personal data in connection with the TradeBooked platform. Effective date: 6 April 2026 1. WHO THIS POLICY APPLIES TO This policy applies to two groups of people: - Tradespeople — individuals or businesses who create a TradeBooked account to manage bookings, customers, and communications. - Customers — individuals who submit a booking through a tradesperson's TradeBooked booking page. If you are visiting our marketing site without signing up or booking, section 7 (Cookies and analytics) is most relevant to you. 2. OUR ROLE — CONTROLLER AND PROCESSOR Where we process personal data relating to a tradesperson's own account — including their name, login details, subscription, billing, communications preferences, and use of the platform — TradeBooked acts as the data controller. Where a customer submits personal data through a tradesperson's booking page, the tradesperson is typically the data controller for that customer data. TradeBooked acts as a data processor on the tradesperson's behalf, handling that data only as necessary to operate the platform and related services. Tradespeople are responsible for identifying an appropriate lawful basis for collecting customer data, providing customers with any required privacy notices, and complying with their own data protection obligations. 3. INFORMATION WE COLLECT From tradespeople (account holders): - Name, email address, and phone number - Business name, trade type, and public-facing business slug - Town and postcode coverage areas - Services, pricing, and availability settings - Account credentials (passwords are stored as one-way hashes and are never readable by us) - Subscription plan, billing status, and payment method details (payment card data is handled entirely by Stripe — we do not store raw card numbers) - Connected account identifiers (e.g. a Stripe Connect account ID or Google Calendar refresh token where those features are enabled) - Communications preferences, notification settings, and SMS or Telegram opt-in status - Uploaded branding assets such as logo images - Usage data relating to the account — including login timestamps, feature usage, and audit events From customers making a booking: - Name, email address, and phone number - Service address or postcode - Booking date, time, and duration - Answers to trade-specific questions configured by the tradesperson - Photos, videos, or other files uploaded as part of a booking - Notes or additional information provided at booking - Deposit payment details where a deposit is required (payment is processed by Stripe; we store the payment reference and status only) - Communications related to the booking — including confirmations, reminders, and any chat or review messages Automatically collected technical data: - IP address, device type, browser type, and operating system - Pages visited, timestamps, and referrer information - Error logs and crash reports where an issue occurs - Cookie and analytics data — see section 7 4. HOW WE USE INFORMATION We use personal data to: - Create and manage tradesperson accounts and subscriptions - Operate and display booking pages and accept, confirm, and manage bookings - Send booking confirmations, appointment reminders, and status updates to customers by email and SMS - Send booking notifications, reminders, and operational alerts to tradespeople by email, SMS, and Telegram (where enabled) - Process deposit payments and subscription billing - Synchronise bookings to a tradesperson's Google Calendar (Autopilot plan only, where enabled) - Enable rebooking campaigns — automated follow-up messages sent by the tradesperson to past customers (only where the tradesperson has configured and activated a campaign) - Facilitate customer reviews and ratings where the tradesperson has requested them - Provide AI-assisted trade suggestions and diagnostics (where the Trade Assist feature is active) - Manage branded merchandise orders via our print fulfilment partner - Provide customer support and respond to queries and complaints - Detect and prevent fraud, abuse, and security incidents - Monitor platform reliability, performance, and errors - Improve the platform based on aggregated usage patterns - Comply with applicable legal and regulatory obligations We do not sell personal data to third parties. We do not use personal data for advertising targeting or share it with data brokers. 5. LEGAL BASES FOR PROCESSING We rely on the following UK GDPR lawful bases: - Contract (Article 6(1)(b)): Processing necessary to provide the TradeBooked service — for example, creating an account, managing bookings, sending confirmations and reminders, and processing payments. - Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests in operating, securing, and improving the platform — for example, error logging, fraud detection, and platform analytics — where those interests are not overridden by individuals' rights. - Legal obligation (Article 6(1)(c)): Where we are required to retain or disclose information by law — for example, financial records for tax purposes. - Consent (Article 6(1)(a)): Where we obtain explicit consent — for example, before setting optional analytics cookies, or before sending optional marketing or rebooking communications where consent is required. Where TradeBooked processes customer data as a processor on behalf of a tradesperson, the tradesperson is responsible for identifying the applicable lawful basis as controller. 6. THIRD-PARTY SERVICE PROVIDERS (SUB-PROCESSORS) We share personal data with third-party providers only where necessary to operate the service. Our current sub-processors and partners include: - Stripe (US) — subscription billing and, where enabled, deposit payment processing via Stripe Connect. Stripe processes payment card data on our behalf under its own PCI-compliant infrastructure. - Resend (US) — transactional email delivery, including booking confirmations, reminders, and account notifications. - Twilio (US) — SMS messaging, including booking reminders, running-late alerts, and missed-call notifications. - Google (US) — where a tradesperson enables the Google Calendar integration, booking details are synced to their personal Google Calendar via the Google Calendar API. We store an OAuth refresh token on the tradesperson's behalf to maintain this sync. - Printful (US/EU) — print-on-demand fulfilment for branded merchandise orders. Where an order is placed, order and delivery details are shared with Printful. - Vercel (US) — platform hosting, edge infrastructure, and blob storage for uploaded files. - Sentry (US) — error monitoring and crash reporting. Sentry may capture technical context such as stack traces, browser type, and session identifiers in connection with errors. - Google Analytics (US) — optional web analytics loaded only where you have accepted analytics cookies. See section 7. - Telegram (optional, where enabled by the tradesperson) — booking notifications sent to the tradesperson's Telegram account. Where providers are based outside the UK, we take appropriate steps to ensure personal data is protected in line with UK GDPR, including relying on adequacy decisions, standard contractual clauses, or other appropriate transfer mechanisms where applicable. 7. COOKIES AND ANALYTICS TradeBooked uses cookies and similar technologies. We distinguish between essential cookies, which are necessary for the platform to function, and optional analytics cookies, which are only set after you accept via the cookie banner. Essential cookies include session tokens (to keep you logged in), CSRF protection tokens (to secure form submissions), and a cookie preference record. These cannot be disabled without breaking the service. Analytics cookies (optional, consent required) include Google Analytics cookies used to measure aggregate site performance and usage patterns. We do not use analytics data for advertising. Vercel also collects anonymised performance metrics from our infrastructure layer. For full details — including cookie names, durations, and how to manage your preferences — see our Cookie Policy at tradebooked.co.uk/cookies. 8. DATA RETENTION We retain personal data only as long as necessary for the purposes described above: - Account data: Retained while the account is active. Following account closure, we retain data for a reasonable period to allow data export, resolve disputes, and meet legal obligations, after which it is deleted or anonymised. - Booking and customer data: Retained while needed by the tradesperson for their business records and for a reasonable period after to allow for dispute resolution, support, and fraud prevention. - Uploaded photos and files: May be subject to plan-specific retention limits. Files may be automatically removed after a defined period depending on the feature and plan. - Payment and billing records: Retained for a minimum of 6 years to meet HMRC and legal requirements. - Security and audit logs: Retained for a reasonable period to support security investigations and service integrity. - Email unsubscribe and SMS opt-out records: Retained indefinitely to honour your preferences and comply with applicable messaging regulations. When data is no longer needed, we delete it or anonymise it so that it can no longer be associated with an individual. 9. SECURITY We apply appropriate technical and organisational security measures to protect personal data, including: - Encrypted connections (TLS) for all data in transit - One-way hashing of passwords — we cannot read your password - Hashed tokens for booking actions (confirmation, cancellation, review links) - Rate limiting on authentication endpoints to prevent brute-force attacks - Role-based access controls — account data is only accessible to the relevant tradesperson - Periodic backups stored in encrypted form No online service can guarantee absolute security. If you believe your account has been compromised, please contact us immediately at compliance@tradebooked.co.uk. 10. INTERNATIONAL TRANSFERS Some of our third-party providers process personal data in the United States and other countries outside the UK. Where personal data is transferred internationally, we rely on appropriate safeguards such as adequacy regulations, standard contractual clauses approved for use under UK GDPR, or other recognised transfer mechanisms to ensure your data receives an equivalent level of protection. 11. YOUR RIGHTS Under UK GDPR, you have the following rights regarding your personal data: - Access: Request a copy of the personal data we hold about you. - Rectification: Ask us to correct inaccurate or incomplete data. - Erasure: Request deletion of your personal data in certain circumstances. - Restriction: Ask us to restrict processing while a concern is resolved. - Objection: Object to processing based on legitimate interests. - Portability: Request your data in a machine-readable format where technically practicable. - Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing. Tradespeople can update or delete their account data directly from the account settings. To exercise any of the rights above, contact us at compliance@tradebooked.co.uk. We will respond within one month. If you are a customer who made a booking through a tradesperson's page, you may also need to contact that tradesperson directly as the primary controller of your booking data. To unsubscribe from emails, use the unsubscribe link in any email we send. To opt out of SMS messages, reply STOP to any SMS or contact us. 12. COMPLAINTS If you have a concern about how we handle personal data, please contact us first at compliance@tradebooked.co.uk. We take all complaints seriously and will aim to respond promptly. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's data protection supervisory authority: ico.org.uk. 13. CHANGES TO THIS POLICY We may update this Privacy Policy from time to time. We will update the effective date at the top of this page. Where a change is material, we will take appropriate steps to notify account holders — for example, via email or an in-app notice. Continued use of TradeBooked after the updated policy takes effect constitutes acceptance of the revised terms.