Privacy Policy

Who we are

Trade PA Ltd is a private limited company registered in England and Wales (company number 17176983). Our registered office is 40 Blakemere Crescent, Portsmouth, PO6 3SG, United Kingdom.

We are the data controller for personal data collected through the Trade PA service at tradespa.co.uk and its associated mobile and web applications (together, the "service").

We are registered with the UK Information Commissioner's Office (ICO) under reference ZC132378.

Scope & your role

This policy explains how we handle personal data about you, the tradesperson. The user who signs up to Trade PA, creates an account, and uses the service to run their business.

When you enter information about your own customers into Trade PA (for example, a homeowner's name, address, and phone number on a job card), you are the controller of that information and Trade PA Ltd acts as your data processor. You are responsible for:

• Having a lawful basis for collecting and storing your customers' data
• Providing your customers with appropriate privacy information
• Responding to any rights requests your customers make to you directly
• Your own registration with the ICO if required for your business

This policy covers how we act as processor for your customer data in section 8. For our role as controller of your own personal data, the rest of this policy applies.

Personal data we collect

We collect the following categories of personal data about you when you use Trade PA:

We do not ask for or intentionally collect special-category data under Article 9 UK GDPR (health, biometrics, ethnicity, religion, political views, union membership, sexual orientation, or genetic data). If you choose to enter such data into a free-text field (for example, noting a customer's accessibility needs in a job note), you do so at your own risk and must have a lawful basis for that processing.

How we use your data & lawful bases

Under UK GDPR we must have a lawful basis for each purpose we use your data for. The table below sets out every purpose and the corresponding basis.

You can object to any processing based on legitimate interests. See section 11.

AI processing

Trade PA uses AI models to power the voice assistant, transcribe voice input, synthesise voice responses, and orchestrate admin tasks. The following AI providers process your data on our behalf:

AI-generated output can be wrong. The AI assistant is a tool to help you run your admin more quickly. You remain responsible for checking that invoices, quotes, compliance certificates, and tax-relevant records it helps you create are accurate before you send or submit them.

Email integration (Gmail & Outlook)

Trade PA offers an optional feature to connect your Gmail or Microsoft Outlook account. This connection is entirely optional. The core app functions fully without it.

If you choose to connect your email account, Trade PA will request the following permissions:

• Read: to read messages in your inbox so the AI can surface customer enquiries, supplier invoices, and other trade-relevant emails
• Send: to send invoices, quotes, chase emails, and replies from your own email address on your behalf
• Modify: to mark emails as read when you open them inside Trade PA

Trade PA's use of data obtained from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use your Gmail data to develop, improve, or train generalised AI or machine-learning models. Gmail data is processed only within the specific features you use inside Trade PA and is not shared with third parties except the AI providers listed in section 5 for the specific purpose of classifying email content into actionable items.

You may revoke Trade PA's access to your email account at any time, either from within the Trade PA app (Settings → Integrations) or from your Google or Microsoft account security settings. Revoking access immediately halts all email processing; email content already surfaced in the app will be deleted within 7 days.

Voice calls & recordings

Two separate voice features exist in Trade PA:

Voice commands to the AI assistant

When you speak to the AI assistant, your microphone audio is captured by your browser, sent to our servers, and forwarded to an AI speech-to-text provider (see section 5) for transcription. The transcript is then processed by the AI orchestrator to produce a response, which is rendered back to you as spoken audio via the text-to-speech provider.

Audio recordings are retained for up to 24 hours for quality-assurance and debugging purposes, then permanently deleted. Transcripts are retained for up to 30 days as part of the conversation history so the AI can maintain context across your sessions, then deleted unless saved to a specific job or customer record by you.

Business phone number (optional add-on)

If you subscribe to the optional Trade PA phone number add-on, incoming and outgoing calls to that number are handled by Twilio. Calls may be recorded and transcribed so that the AI can log the call against the correct customer, extract action items, and update your records.

Call recordings are retained for 90 days by default, after which they are automatically deleted. You can disable recording entirely for individual calls, for all calls from a specific number, or globally from Settings → Phone.

Third-party processors

We use the following third-party processors to deliver the service. Each is contractually bound to process data only on our instructions, with appropriate security measures and (where relevant) transfer safeguards.

This list is current as of the effective date at the top of this policy. If we add a new processor that materially changes how we handle your data, we will update this page and notify you by email at least 30 days before the change takes effect.

International transfers

Several of our processors are based outside the United Kingdom and the European Economic Area, primarily in the United States. Where personal data is transferred to a jurisdiction without a UK adequacy decision, we rely on one or more of the following safeguards:

• The UK International Data Transfer Agreement (IDTA) with the recipient
• Standard Contractual Clauses (SCCs) with the UK Addendum
• The UK Extension to the EU-US Data Privacy Framework where the recipient is certified

You may request a copy of the safeguards applied to any transfer by contacting us at privacy@tradespa.co.uk.

Data retention

We keep personal data only for as long as necessary for the purposes set out in section 4. Specific retention periods:

When we delete data, we do so permanently from our active systems. Backup copies are overwritten within 30 days.

Your UK GDPR rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights in respect of your personal data:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: ask us to correct inaccurate or incomplete data
• Right to erasure: ask us to delete your data in certain circumstances (also known as the right to be forgotten)
• Right to restrict processing: ask us to pause processing while a dispute is resolved
• Right to data portability: receive your data in a structured, commonly used, machine-readable format
• Right to object: object to processing based on legitimate interests, including direct marketing (marketing objections are always honoured)
• Rights related to automated decision-making: we do not make decisions that have legal or similarly significant effects solely through automated processing
• Right to withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal

To exercise any of these rights, email privacy@tradespa.co.uk. We will respond within one month as required by UK GDPR. If your request is complex or you have made multiple requests, we may extend this period by a further two months and will let you know if so. There is no fee for exercising your rights except in cases of manifestly unfounded or excessive requests.

How to delete your account

You can permanently delete your Trade PA account and all associated personal data at any time. There are two ways to do this:

Option 1 — From inside the app (recommended)

1. Open Trade PA on the web (tradespa.co.uk) or in the mobile app
2. Sign in with your account
3. Tap your profile icon → Settings
4. Scroll to Account → Delete account
5. Type your registered email address to confirm (must match exactly)
6. Tap Permanently delete

Your account is deactivated immediately. All personal data is permanently deleted within 30 days, with the exceptions noted below.

Option 2 — By email

If you cannot access your account (forgotten password, locked out, or already cancelled), email privacy@tradespa.co.uk from the email address registered to your account. Include the request “Please delete my Trade PA account and all associated data”. We will verify your identity and confirm the deletion within 30 days as required by UK GDPR.

What gets deleted

• Your profile, business details, and account credentials
• All jobs, customers, invoices, materials, subcontractors, and CIS records you created
• All voice recordings and conversation history
• All call recordings and transcripts
• All inbox connections and any cached email content
• All push notification tokens and device identifiers

What we may retain (and why)

UK law requires us to retain certain financial records after account deletion. Specifically:

• Subscription and payment records — retained for 6 years after deletion to comply with HMRC tax legislation. Stored separately from operational data and used only for tax and audit purposes.
• Anonymised aggregate analytics — usage statistics that cannot be traced back to you may be retained for product improvement.
• Encrypted backups — overwritten on a 30-day rolling basis. Your data will not appear in any backup older than 30 days post-deletion.

If you have any questions about the deletion process, email privacy@tradespa.co.uk.

Security

We protect your personal data using a combination of technical and organisational measures:

• All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• Data at rest in our Supabase database is encrypted using AES-256
• Passwords are hashed using industry-standard algorithms. We never store your password in plain text and cannot recover it for you
• Access to your data is protected by Supabase Row Level Security. Your data is only accessible when authenticated as you, and no other Trade PA user can access your business records
• Access to production systems is restricted to authorised personnel and logged
• We use Sentry to monitor for unusual errors and Supabase audit logs to monitor for unusual data access
• We apply the principle of least privilege. Each third-party processor receives only the minimum data needed for the specific function

Despite these measures, no system is completely secure. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you and the ICO within 72 hours as required by UK GDPR.

We recommend using a strong, unique password for your Trade PA account and enabling multi-factor authentication once available.

Cookies & local storage

Trade PA uses only essential cookies and browser storage required for the service to function:

• Authentication: keeps you signed in between visits
• Session: tracks the state of the app while you use it (for example, which tab you have open)
• Error reporting: identifies your session to correlate crash reports without identifying you personally to our error-monitoring tool

We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies. We do not place advertising of any kind, nor do we permit third parties to do so.

Because all cookies and local storage are strictly necessary for the service, we do not display a cookie consent banner. UK cookie law (PECR) does not require consent for strictly necessary cookies.

Children

Trade PA is a business tool and is not intended for use by anyone under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact privacy@tradespa.co.uk and we will delete it.

Changes to this policy

We may update this privacy policy from time to time. The "Last updated" date at the top of this page reflects the most recent change.

Where changes are material, for example a new category of data collected, a new purpose, a new international recipient, or a reduction in your rights, we will notify you by email at least 30 days before the change takes effect and, where required by law, seek your consent.

Continued use of Trade PA after non-material changes take effect constitutes acceptance of the updated policy. If you do not agree with an update, you may cancel your subscription and request deletion of your account under section 11.

Contact us & ICO complaints

If you have any questions about this privacy policy, or wish to exercise your data rights, please contact us:

We aim to resolve all privacy concerns directly. If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office: