TradeBooked.co.uk

Legal

Privacy Policy

Effective date: 17 May 2026

TradeBooked.co.uk powered by SDAN LTD (Company number 17147199)

Registered office: 128 City Road, London, United Kingdom, EC1V 2NX

TradeBooked ("TradeBooked", "we", "us", "our") is operated by SDAN LTD (company number 17147199), a UK-based software platform for tradespeople. We are committed to protecting personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Questions about this policy can be sent to compliance@tradebooked.co.uk.

This Privacy Policy explains how we collect, use, share, and protect personal data in connection with the TradeBooked platform.

1. Who this policy applies to

This policy applies to two groups of people:

  • Tradespeople - individuals or businesses who create a TradeBooked account to manage bookings, customers, and communications.
  • Customers - individuals who submit a booking through a tradesperson's TradeBooked booking page.

If you are visiting our marketing site without signing up or booking, section 7 (Cookies and analytics) is most relevant to you.

2. Our role - controller and processor

Where we process personal data relating to a tradesperson's own account - including their name, login details, subscription, billing, communications preferences, and use of the platform - TradeBooked acts as the data controller.

Where a customer submits personal data through a tradesperson's booking page, the tradesperson is typically the data controller for that customer data. TradeBooked acts as a data processor on the tradesperson's behalf, handling that data only as necessary to operate the platform and related services.

Tradespeople are responsible for identifying an appropriate lawful basis for collecting customer data, providing customers with any required privacy notices, and complying with their own data protection obligations.

3. Information we collect

From tradespeople (account holders):

  • Name, email address, and phone number
  • Business name, trade type, and public-facing business slug
  • Town and postcode coverage areas
  • Services, pricing, and availability settings
  • Account credentials (passwords are stored as one-way hashes and are never readable by us)
  • Subscription plan, billing status, and payment method details (payment card data is handled entirely by Stripe - we do not store raw card numbers)
  • Connected account identifiers (for example, a Stripe Connect account ID or Google Calendar refresh token where those features are enabled)
  • Communications preferences, notification settings, and SMS opt-in status
  • Uploaded branding assets such as logo images
  • Usage data relating to the account - including login timestamps, feature usage, and audit events

From customers making a booking:

  • Name, email address, and phone number
  • Service address or postcode
  • Booking date, time, and duration
  • Answers to trade-specific questions configured by the tradesperson
  • Photos, videos, or other files uploaded as part of a booking
  • Notes or additional information provided at booking
  • Deposit payment details where a deposit is required (payment is processed by Stripe; we store the payment reference and status only)
  • Communications related to the booking - including confirmations, reminders, and any chat or review messages

From visitors who check coverage on a booking page:

  • The outcode (the first half of a UK postcode, for example "SW1A") that a visitor enters when checking whether a tradesperson covers a given area, together with whether that area was inside or outside the tradesperson's coverage. This is captured whether or not the visitor goes on to submit a booking. We do not store the full postcode for these events and we do not link them to a visitor's identity. TradeBooked is the controller for this aggregated coverage data and processes it on the basis of our legitimate interests (Article 6(1)(f)) in providing coverage analytics to tradespeople. Records are deleted automatically after 90 days (see section 8).

Automatically collected technical data:

  • IP address, device type, browser type, and operating system
  • Pages visited, timestamps, and referrer information
  • Error logs and crash reports where an issue occurs
  • Cookie and analytics data - see section 7

4. How we use information

We use personal data to:

  • Create and manage tradesperson accounts and subscriptions
  • Operate and display booking pages and accept, confirm, and manage bookings
  • Send booking confirmations, appointment reminders, and status updates to customers by email and SMS
  • Send booking notifications, reminders, and operational alerts to tradespeople by email, SMS, and push notification
  • Send accountant packs containing booking and financial summaries to a third-party recipient (your accountant) at the email address you configure, where enabled
  • Process deposit payments and subscription billing
  • Synchronise bookings to a tradesperson's Google Calendar (Pro plan and above, where enabled)
  • Enable rebooking campaigns - automated follow-up messages sent by the tradesperson to past customers (only where the tradesperson has configured and activated a campaign)
  • Facilitate customer reviews and ratings where the tradesperson has requested them
  • Display job photos that a tradesperson has chosen to feature in a public "Our work" gallery on their booking page (only proof-of-work photos the tradesperson has explicitly flagged, never customer-submitted attachments; see the photo retention note below)
  • Provide AI-assisted trade suggestions and diagnostics (where the Trade Assist feature is active)
  • Provide AI-assisted rewriting of tradesperson-typed notes into customer-facing invoice notes (where the Message Assist feature is active). Notes you type are sent transiently to our AI provider for rewriting after personal data patterns are automatically redacted. A copy of the bullets and the AI draft is retained on your account so you can rate drafts and we can tune the feature; raw bullets are purged after 90 days while aggregate metrics are kept indefinitely.
  • Manage branded merchandise orders via our print fulfilment partner
  • Provide customer support and respond to queries and complaints
  • Detect and prevent fraud, abuse, and security incidents
  • Monitor platform reliability, performance, and errors
  • Improve the platform based on aggregated usage patterns
  • Comply with applicable legal and regulatory obligations

We do not sell personal data to third parties. We do not use personal data for advertising targeting or share it with data brokers.

5. Legal bases for processing

We rely on the following UK GDPR lawful bases:

  • Contract (Article 6(1)(b)): Processing necessary to provide the TradeBooked service - for example, creating an account, managing bookings, sending confirmations and reminders, and processing payments.
  • Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests in operating, securing, and improving the platform - for example, error logging, fraud detection, and platform analytics - where those interests are not overridden by individuals' rights.
  • Legal obligation (Article 6(1)(c)): Where we are required to retain or disclose information by law - for example, financial records for tax purposes.
  • Consent (Article 6(1)(a)): Where we obtain explicit consent - for example, before setting optional analytics cookies, or before sending optional marketing or rebooking communications where consent is required.

Where TradeBooked processes customer data as a processor on behalf of a tradesperson, the tradesperson is responsible for identifying the applicable lawful basis as controller.

6. Third-party service providers (sub-processors)

We share personal data with third-party providers only where necessary to operate the service. Our current sub-processors and partners include:

  • Stripe (US) - subscription billing and, where enabled, deposit payment processing via Stripe Connect. Stripe processes payment card data on our behalf under its own PCI-compliant infrastructure.
  • GoCardless (UK) - where a tradesperson enables Direct Debit collection, customer bank mandate setup and recurring payment collection are handled by GoCardless under their FCA-authorised infrastructure. Customer name, email, and mandate metadata are shared to set up and operate the mandate.
  • Resend (US) - transactional email delivery, including booking confirmations, reminders, and account notifications.
  • Twilio (US) - SMS messaging, including booking reminders, running-late alerts, and missed-call notifications.
  • Google (US) - where enabled, booking details are synced to the tradesperson's personal Google Calendar via the Google Calendar API, and public customer review data is fetched from the Google Places API to display on the booking page. We store an OAuth refresh token on the tradesperson's behalf where applicable.
  • Xero (New Zealand) - where a tradesperson enables the Xero accounting integration, customer contact details, invoices, and payment records are synced to their Xero account. We store an OAuth refresh token on the tradesperson's behalf to maintain this sync.
  • FreeAgent (UK) - where a tradesperson enables the FreeAgent accounting integration, customer contact details, invoices, and payment records are synced to their FreeAgent account. We store an OAuth refresh token on the tradesperson's behalf to maintain this sync.
  • DVSA (Driver and Vehicle Standards Agency, UK) - where a vehicle registration number is provided as part of a booking, quote, or job, we may query the DVSA MOT History API to retrieve vehicle make, model, and MOT-related information. We do not send personal data about the vehicle owner to DVSA and DVSA does not return owner data to us.
  • Printful (US/EU) - print-on-demand fulfilment for branded merchandise orders. Where an order is placed, order and delivery details are shared with Printful.
  • Vercel (US) - platform hosting, edge infrastructure, and blob storage for uploaded files.
  • Managed Postgres database hosting (UK/EU region) - primary storage for account, booking, and customer data we hold on your behalf.
  • AI search and summarisation provider (US) - powers Trade Assist research queries on the Autopilot plan (fault diagnosis, regulation lookups, procedural guidance). Common patterns of personal data are automatically redacted on our servers before queries leave TradeBooked. International transfers are covered by standard contractual clauses approved under UK GDPR.
  • AI text-rewriting provider (US) - powers Message Assist on the Autopilot plan, an AI tone-transformer that rewrites tradesperson-typed bullet notes into customer-facing invoice notes. The same server-side redaction is applied to the bullets you submit before they leave TradeBooked. Notes are not used to train shared AI models. International transfers are covered by standard contractual clauses approved under UK GDPR.
  • Sentry (US) - error monitoring and crash reporting. Sentry may capture technical context such as stack traces, browser type, and session identifiers in connection with errors.
  • Google Analytics (US) - optional web analytics loaded only where you have accepted analytics cookies. See section 7.

In addition to the sub-processors listed above, where you configure it we send communications on your behalf to recipients you nominate (for example, an accountant email address you provide). Those recipients act independently of TradeBooked and are not our sub-processors.

Third-party providers and infrastructure may change from time to time in the ordinary course of operating and improving the service. Where personal data is transferred outside the UK, we take appropriate steps to ensure it receives protection in line with UK GDPR, including relying on adequacy decisions, standard contractual clauses, or other recognised transfer mechanisms.

7. Cookies and analytics

TradeBooked uses cookies and similar technologies. We distinguish between essential cookies, which are necessary for the platform to function, and optional analytics cookies, which are only set after you accept via the cookie banner.

Essential cookies include session tokens (to keep you logged in), CSRF protection tokens (to secure form submissions), and a cookie preference record. These cannot be disabled without breaking the service.

Analytics cookies (optional, consent required) include Google Analytics cookies used to measure aggregate site performance and usage patterns. We do not use analytics data for advertising. Vercel also collects anonymised performance metrics from our infrastructure layer.

For full details - including cookie names, durations, and how to manage your preferences - see our Cookie Policy.

8. Data retention

We retain personal data only as long as necessary for the purposes described above:

  • Account data: Retained while the account is active. Following account closure, we retain data for a reasonable period to allow data export, resolve disputes, and meet legal obligations, after which it is deleted or anonymised.
  • Trial-data retention schedule: When a free trial ends without conversion, we retain trial data for thirty days. We send a warning email five days before the scheduled deletion and a final reminder twenty-four hours before. From those emails you can: extend retention by six months (consent extensions are capped at two per business, ~12 months total), download a portable JSON archive of your data, or cancel the deletion if you have reactivated the account. If you take no action, deletion proceeds on the scheduled date and we email a completion confirmation with a download link to your portable archive that remains valid for sixty days.
  • Booking and customer data: Retained while needed by the tradesperson for their business records and for a reasonable period after to allow for dispute resolution, support, and fraud prevention.
  • Booking chat messages: Message text in the clarification chat is automatically deleted 7 days after the booking is closed (completed, cancelled, or declined). A record that a conversation took place is kept for audit purposes, but the content is not retained.
  • Uploaded photos and files: Customer photos submitted through the booking form are deleted after 90 days. Photos sent via the booking chat are deleted 30 days after the booking is closed, unless the tradesperson saves a photo as job evidence, in which case it follows the proof-of-work retention period (90, 365, or 730 days depending on plan). Proof-of-work photos uploaded directly by the tradesperson are retained for the plan-specific period and then deleted automatically. Where a tradesperson flags one of their proof-of-work photos to feature it, that photo is shown publicly in an "Our work" gallery on their booking page until they remove the flag, delete it, or it reaches the end of its retention period. The tradesperson chooses which photos to feature and is responsible for any consent needed from the customer whose job is shown.
  • Coverage check events: Outcode-only records of coverage checks (see section 3) are retained for 90 days on a rolling basis, after which they are automatically deleted.
  • Payment and billing records: Retained for a minimum of 6 years to meet HMRC and legal requirements.
  • Security and audit logs: Retained for a reasonable period to support security investigations and service integrity.
  • Email unsubscribe and SMS opt-out records: Retained indefinitely to honour your preferences and comply with applicable messaging regulations.

When data is no longer needed, we delete it or anonymise it so that it can no longer be associated with an individual.

9. Security

We apply appropriate technical and organisational security measures to protect personal data, including:

  • Encrypted connections (TLS) for all data in transit
  • One-way hashing of passwords - we cannot read your password
  • Hashed tokens for booking actions (confirmation, cancellation, review links)
  • Rate limiting on authentication endpoints to prevent brute-force attacks
  • Optional two-factor authentication via authenticator app, available in account settings
  • Each tradesperson can only access their own account, customer, and booking data. Access controls are enforced on every request, not on the client
  • Periodic backups stored in encrypted form

No online service can guarantee absolute security. If you believe your account has been compromised, please contact us immediately at compliance@tradebooked.co.uk.

Where a personal data breach occurs that is likely to result in a risk to your rights, we will notify the Information Commissioner's Office within 72 hours of becoming aware of it, and we will notify affected individuals without undue delay where the risk is high.

10. International transfers

Your account, booking, and customer data is stored in databases hosted in the UK or EU. Some operational services we use (such as payment processing, email delivery, SMS, and AI-powered features such as Trade Assist and Message Assist) are operated from outside the UK, and where they are, the safeguards below apply.

Where personal data is transferred internationally, we rely on appropriate safeguards such as adequacy regulations, standard contractual clauses approved for use under UK GDPR, or other recognised transfer mechanisms to ensure your data receives an equivalent level of protection.

11. Your rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Ask us to correct inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data in certain circumstances.
  • Restriction: Ask us to restrict processing while a concern is resolved.
  • Objection: Object to processing based on legitimate interests.
  • Portability: Request your data in a machine-readable format where technically practicable.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

Tradespeople can update or delete their account data directly from the account settings. To exercise any of the rights above, contact us at compliance@tradebooked.co.uk. We will respond within one month.

If you are a customer who made a booking through a tradesperson's page, you may also need to contact that tradesperson directly as the primary controller of your booking data.

To unsubscribe from emails, use the unsubscribe link in any email we send. To opt out of SMS messages, reply STOP to any SMS or contact us.

12. Children's data

TradeBooked is not directed at children. It is intended for adult tradespeople and adult customers booking trade services. Children under 18 must not create a TradeBooked account, submit a booking, or use TradeBooked directly.

We do not knowingly collect personal data directly from children as users of the service. TradeBooked does not use customer photos for facial recognition, biometric identification, or automated profiling of individuals.

If you are a parent or guardian and believe a child's personal data has been provided through TradeBooked, contact us at compliance@tradebooked.co.uk. Where TradeBooked controls that data, we will respond directly. Where the data is controlled by a tradesperson, such as booking details or uploaded customer photos, we will assist the tradesperson in handling the request.

Customers should not upload photos where a child is visible. Photos needed to describe a job should be retaken or cropped so that no child appears in the image.

13. Complaints

If you have a concern about how we handle personal data, please contact us first at compliance@tradebooked.co.uk. We take all complaints seriously and will aim to respond promptly.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) - the UK's data protection supervisory authority: ico.org.uk.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will update the effective date at the top of this page. Where a change is material, we will take appropriate steps to notify account holders, for example via email or an in-app notice. Continued use of TradeBooked after the updated policy takes effect constitutes acceptance of the revised terms.

Routine operational changes, including changes to the specific third-party providers we use within the categories described in section 6, are not material changes for the purposes of this section.