Privacy Policy
Last updated: 27 May 2026 · Version 1.0
Trade2Base ("we", "us" or "our") is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
By using Trade2Base you agree to the collection and use of information described in this policy. If you do not agree, please do not use the service.
1.Who we are
Trade2Base is a software-as-a-service platform for trade businesses (plumbers, electricians, builders, roofers and similar trades) operating in the United Kingdom. The data controller is Trade2Base Ltd, registered in England and Wales.
If you have any questions about how we handle your data, contact us at privacy@trade2base.com.
2.What data we collect
We collect different categories of data depending on how you use Trade2Base.
Account and business data
- Your name, email address and password hash
- Business name, phone number and trading address
- VAT number, Gas Safe or NICEIC registration (if provided)
- Subscription plan and billing contact details
- Profile photo or avatar (if uploaded)
- Preferred notification settings
Usage and activity data
- Pages visited, features used, session duration
- Log data including IP address, browser type, device type and timestamps
- Errors, crashes and performance metrics (to improve reliability)
- AI prompts you submit and responses generated (not stored beyond your session by default)
Payment data
We do not store card numbers. Payments are handled by Stripe, our PCI-DSS Level 1 certified payment processor. We receive a Stripe customer ID, last-four digits and billing status.
Communication data
- Support tickets and emails you send us
- Feedback submitted via the product
- Marketing preferences (opt-in/out records)
3.How we use your data
- Providing the service — creating your account, processing subscriptions, delivering CRM, campaign, AI and messaging features
- Improving the product — analysing aggregated usage patterns, fixing bugs and developing new features
- Customer support — responding to queries, resolving issues and diagnosing technical problems
- Billing and compliance — processing payments, issuing invoices, preventing fraud and meeting legal obligations
- Marketing — sending product updates, feature announcements and promotional offers where you have opted in
- Security — detecting abuse, preventing unauthorised access and protecting your account
4.Legal basis for processing
Under UK GDPR we rely on the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Running your account and subscription | Contract (Art. 6(1)(b)) |
| Billing and invoicing | Contract + legal obligation (Art. 6(1)(b)(c)) |
| Product analytics and improvement | Legitimate interests (Art. 6(1)(f)) |
| Marketing emails | Consent (Art. 6(1)(a)) |
| Security monitoring | Legitimate interests (Art. 6(1)(f)) |
| Legal hold / fraud prevention | Legal obligation (Art. 6(1)(c)) |
5.Data we collect from your customers
When you use Trade2Base to manage your trade business, you store data about your own customers (names, phone numbers, addresses, job details, photos and messages). For this data, you are the data controller and Trade2Base acts as a data processor on your behalf.
You are responsible for ensuring you have a legal basis to store and process your customers' personal data. You should have a privacy notice on your own website or in your terms of service that explains to your customers how their data is used.
We process your customers' data only to deliver the Trade2Base service to you and will never use it for our own marketing purposes. A Data Processing Agreement (DPA) is available on request.
6.Third-party processors
We use carefully selected sub-processors to deliver Trade2Base. All sub-processors are contractually obligated to protect data to at least the standard required by UK GDPR.
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU / US (SCCs) |
| Stripe | Payment processing | EU / US (SCCs) |
| OpenAI | AI content generation (prompts + responses) | US (SCCs) |
| Twilio / WhatsApp | SMS and WhatsApp messaging | US (SCCs) |
| Meta (Facebook) | Ad lead sync (with your consent) | US (SCCs) |
| Ad conversion tracking (with your consent) | US (SCCs) | |
| TikTok | Ad lead sync (with your consent) | US (SCCs) |
| Mailhaus | Physical direct mail fulfilment | UK |
| Vercel | Web hosting and CDN | EU / US (SCCs) |
| PostHog / Plausible | Privacy-first analytics | EU |
SCCs = Standard Contractual Clauses (EU → UK adequacy / UK transfer mechanisms).
7.International transfers
Some of our processors operate outside the UK and EEA (notably in the United States). Where this occurs, we rely on either UK adequacy decisions or Standard Contractual Clauses (SCCs) as approved by the ICO, and we carry out transfer impact assessments where required.
8.How long we keep data
| Data type | Retention period |
|---|---|
| Account and profile data | Duration of subscription + 30 days after cancellation |
| Customer and job data (CRM) | Duration of subscription + 30 days after cancellation |
| Financial records (invoices, payments) | 7 years (UK tax law) |
| Support correspondence | 3 years after last contact |
| Server logs | 90 days rolling |
| Marketing consent records | Until consent is withdrawn + 1 year |
9.Your rights
Under UK GDPR you have the following rights. To exercise any of them, email us at privacy@trade2base.com. We will respond within 30 days.
Request a copy of all personal data we hold about you.
Ask us to correct inaccurate or incomplete data.
Request deletion of your data where there is no compelling reason for us to keep it (subject to legal retention obligations).
Ask us to pause processing your data in certain circumstances.
Receive your data in a machine-readable format (CSV / JSON) to transfer to another service.
Object to processing based on legitimate interests or direct marketing at any time.
Where processing is based on consent, withdraw it at any time without affecting prior processing.
Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have mishandled your data.
10.Cookies
Trade2Base uses cookies for the following purposes:
- Essential cookies — authentication session token (Supabase JWT), CSRF protection. These are strictly necessary and cannot be declined.
- Preference cookies — remembering your sidebar collapsed/expanded state, dark/light mode (if added). Stored in localStorage.
- Analytics cookies — privacy-first, cookie-free analytics via Plausible or PostHog. No cross-site tracking. You can opt out in Settings.
We do not use third-party advertising cookies or sell browsing data.
11.Children
Trade2Base is a business-to-business service intended for adults (18+) running trade businesses. We do not knowingly collect data from children. If you believe a child has created an account, contact us immediately.
12.Changes to this policy
We may update this policy as the product and regulatory environment evolves. We will notify you of material changes by email (to your registered address) at least 14 days before they take effect. Continued use after the effective date constitutes acceptance of the revised policy.
Previous versions are available on request at privacy@trade2base.com.
13.Contact us
Trade2Base Ltd
Registered in England and Wales
Privacy queries: privacy@trade2base.com
General support: support@trade2base.com
ICO registration number: [to be added before production launch]