Privacy Policy
Last updated: 8 March 2026
1. Who We Are
TradeTitan ("we", "us", "our") is a business management platform built for tradespeople. We are registered in England & Wales.
- Data controller: TradeTitan Ltd
- Contact email: hello@tradetitan.co.uk
- Website: www.tradetitan.co.uk
2. Data We Collect
2.1 Account & Organisation Data
When you register, we collect your name, email address, phone number, company name, billing address, and VAT number (if applicable). An Admin user creates the Organisation and may invite team members whose name, email, and role we also store.
2.2 Customer Data
You may store information about your own customers within TradeTitan, including their name, email, phone number, billing address, site addresses, pricing level, and notes. You are the data controller for your customers’ personal data; we act as a data processor on your behalf.
2.3 Operational Data
Jobs, quotes, invoices, purchase orders, bills, and associated line items you create within TradeTitan. This includes descriptions, dates, financial totals, statuses, and assigned staff.
2.4 Files & Uploads
Company logos, PDF branding themes, and job attachments (e.g. photos) you upload to TradeTitan. These are stored in Supabase Storage, scoped to your Organisation.
2.5 Voice & AI Data
If you use the AI Assistant (Pro plan), voice commands are processed in real-time to extract structured data (e.g. customer name, job description). Voice recordings are not stored. Transcripts may be saved for your audit trail if you opt in. No data is sent to third-party AI training datasets.
2.6 Usage & Analytics Data
With your consent, we collect anonymous usage data via PostHog, including pages visited, features used, and session duration. This helps us improve the product. See our Cookie Policy for details.
2.7 Payment Data
Payments are processed by Stripe. We do not store your full card number. Stripe provides us with a tokenised reference, last four digits, card brand, and billing email. See Stripe’s Privacy Policy.
3. Lawful Basis for Processing
Under the UK General Data Protection Regulation (UK GDPR) we rely on the following lawful bases:
| Basis | What it covers |
|---|---|
| Contract | Processing necessary to provide the Service — account management, job tracking, invoicing, payment processing, transactional emails. |
| Consent | Marketing emails, analytics cookies (PostHog), optional transcript storage for AI Assistant. |
| Legitimate interest | Error monitoring (Sentry) to maintain service stability and security. |
4. How We Use Your Data
- Provide and operate the TradeTitan platform
- Process subscription payments via Stripe
- Send transactional emails — quote/invoice notifications, payment reminders, team invitations, magic-link portal access
- Run automated background tasks — overdue invoice checks, quote expiry reminders, subscription grace period transitions
- Generate documents — PDF quotes, invoices, and purchase orders
- Improve the product through anonymised analytics (with consent)
- Monitor and resolve errors (Sentry)
5. Third-Party Processors (Sub-processors)
We share data with the following third parties, each acting as a data processor under GDPR Article 28:
| Processor | Purpose | Data shared | DPA |
|---|---|---|---|
| Stripe | Payment processing | Billing email, payment method tokens | Link |
| Supabase | Database hosting & file storage | All application data | Link |
| PostHog | Product analytics | Anonymised usage events (with consent) | Link |
| Resend | Transactional email delivery | Recipient email, email content | Link |
| Railway | API hosting | Application runtime data | Link |
| Vercel | Frontend hosting | Static assets, server-side rendering | Link |
| Sentry | Error monitoring | Error stack traces, request metadata | Link |
6. Data Storage & Location
Application data is stored in a PostgreSQL database hosted by Supabase on AWS infrastructure in the EU. Uploaded files are stored in Supabase Storage (same EU region). Some sub-processors (e.g. Sentry, PostHog) may process data through infrastructure in the United States under appropriate safeguards (Standard Contractual Clauses).
7. Data Retention
| Scenario | Retention period |
|---|---|
| Active subscription | Data retained for the lifetime of the account |
| Subscription cancelled (Day 0–30) | Read-only access. Data retained. Recoverable on reactivation. |
| Organisation archived (Day 31–90) | Data retained but inaccessible. Recoverable on payment. |
| After 90 days post-cancellation | Permanent deletion — all Organisation data, user data, files, and associated records are irreversibly removed. |
| Customer personal data (your end-customers) | Retained up to 2 years after account deletion for legitimate business record-keeping, then deleted. |
8. Your Rights (UK GDPR)
You have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — request deletion of your personal data.
- Data portability — receive your data in a structured, machine-readable format. You can export your data at any time from within TradeTitan, including during a lapsed subscription.
- Restrict processing — request that we limit how we use your data.
- Object — object to processing based on legitimate interests.
- Withdraw consent — for consent-based processing (marketing, analytics), you can withdraw at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email hello@tradetitan.co.uk. We will respond within 30 days.
9. External Portal Access
Your customers and subcontractors may access limited data through time-limited magic-link URLs (valid for 30 days). Portal users can only view data scoped to their specific jobs, quotes, or invoices — they cannot access any broader Organisation data. No account creation is required for portal access.
10. Security
- Passwords are hashed using bcrypt — we never store plaintext passwords.
- Authentication uses JWT tokens with configurable expiry.
- CORS policies restrict API access to authorised origins only.
- Role-based access control enforces the principle of least privilege.
- Stripe webhook signatures are verified to prevent tampering.
- All data transmitted over HTTPS/TLS.
11. Data Breach Notification
In the event of a personal data breach, we will notify the Information Commissioner’s Office (ICO) within 72 hours where required under GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
12. Children
TradeTitan is a business-to-business service designed for trade professionals. It is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or a prominent notice within the Service at least 30 days before the changes take effect. Your continued use of TradeTitan after changes are published constitutes acceptance.
14. Contact & Complaints
If you have questions about this policy or wish to exercise your data rights, contact us at hello@tradetitan.co.uk.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113