Privacy Policy

Last updated: 20 April 2026

1. Who we are

Tradespal (“we”, “us”, “our”) is a trading name providing quoting, invoicing, scheduling, and payment software for tradespeople, operated at tradespal.co.

Registered address: Tradespal Ltd, 61 Bridge Street, Kington, HR5 3DJ, United Kingdom.
Company number: 17152382 (registered in England & Wales).
ICO registration number: C1907103.
Data controller contact: privacy@tradespal.co for all data rights requests and privacy enquiries.

For UK and EU users, we act as the data controller for your personal data. For California users, we act as a business under CCPA. For Canadian users, we act as an organization under PIPEDA.

2. What data we collect

We collect data you provide directly and data generated automatically when you use our services:

• Account data: full name, email address, business name, phone number, street address, city, postcode, trade type, and password (stored as a one-way hash).
• Customer records: names, email addresses, phone numbers, and postal addresses of your customers that you enter into Tradespal.
• Transaction data: quotes, invoices, line items, job descriptions, payment status, deposit requests, notes, calendar events, and any job-site photos you upload.
• Expense records: job costs you record in Tradespal (description, amount, category, date, and optional notes). These are visible only to you and are never shared with your customers.
• Payment & billing data: subscription plan, billing cycle, and payment history. Card numbers and bank details are collected and stored exclusively by Stripe; we never see or store raw card data.
• Usage & technical data: pages visited, features used, timestamps, device type, operating system, browser type, and IP address.
• Push notification tokens: if you install the Tradespal mobile app and grant notification permissions, we store your device token to deliver payment and job-alert notifications.
• Support communications: emails, chat messages, or other correspondence you send us.
• Accounting integration tokens: if you connect Xero, QuickBooks, or FreeAgent, we store OAuth access and refresh tokens on your behalf to sync invoice and customer data to those platforms.

3. Why we collect it : lawful basis

3a. UK & EU GDPR : Article 6 lawful bases

• Contract performance (Art. 6(1)(b)): processing your account data, customer records, and transaction data to deliver the Tradespal service you signed up for, including sending invoices and processing payments.
• Legitimate interests (Art. 6(1)(f)): product analytics and performance monitoring to improve our service; fraud prevention and security monitoring; sending you service-related notifications.
• Legal obligation (Art. 6(1)(c)): retaining certain financial and transaction records as required by UK and EU law (e.g. 6-year VAT and accounting record retention under UK HMRC rules).
• Consent (Art. 6(1)(a)): marketing emails and newsletters (you may withdraw consent at any time by unsubscribing); push notifications (you may disable these in your device settings at any time).

3b. California : CCPA purpose of collection

We collect the above categories of personal information for the following business purposes: providing and improving the Service; processing payments; sending transactional and support communications; detecting and preventing fraud; complying with legal obligations; and internal analytics. We do not sell, share for cross-context behavioural advertising, or otherwise monetise your personal information.

3c. Canada : PIPEDA consent and purpose

We collect, use, and disclose personal information only for the purposes described in this policy, with your knowledge and implied or express consent. You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting us at privacy@tradespal.co.

4. Who we share your data with : sub-processors

We do not sell your personal data to any third party. We share data only with the following trusted sub-processors that help us deliver the service:

• Supabase: database hosting and authentication. Data is stored in EU (Frankfurt) and/or US regions. Privacy policy →
• Stripe: payment processing, subscription billing, and Stripe Connect for your customer payments. Processes data in the US and EU under SCCs. Privacy policy →
• Vercel: web application hosting and edge network. US/EU infrastructure. Privacy policy →
• Resend: transactional email delivery (invoices, quotes, reminders). US-based. Privacy policy →
• Twilio: SMS delivery for payment reminders (only when SMS reminders are enabled). US-based. Privacy policy →
• Anthropic: AI-powered pricing suggestions. Only anonymised job description text and trade type are sent; no customer PII is included. US-based. Privacy policy →
• Expo / Expo Push Notification Service: mobile push notifications (only when the mobile app is installed and notifications are enabled). US-based. Privacy policy →
• Intuit (QuickBooks): accounting data sync (only when you have connected QuickBooks). US-based. Privacy policy →
• Xero: accounting data sync (only when you have connected Xero). NZ/Global. Privacy policy →
• FreeAgent: accounting data sync (only when you have connected FreeAgent). UK-based. Privacy policy →
• Meta (Facebook Pixel): website analytics and advertising. We use the Meta Pixel to measure how visitors interact with our website, track conversions (such as sign-ups), and show relevant ads to people who have visited Tradespal. Meta may use cookies and similar technologies. US-based. Privacy policy →
• Google Analytics (GA4): website analytics. We use Google Analytics to understand how visitors use our site (pages visited, session duration, traffic sources). Data is anonymised and aggregated. US-based. Privacy policy →
• TikTok (TikTok Pixel & Events API): advertising measurement and conversion tracking. We use the TikTok Pixel (browser-side) and TikTok Events API (server-side) to measure how visitors interact with our website and to track conversion events such as account sign-ups. When you sign up, your email address is hashed using SHA-256 before being transmitted to TikTok; the raw email address is never sent. TikTok may use this data to measure the effectiveness of ads and, if you have a TikTok account, to match your activity. US/Singapore-based. Privacy policy →

We may also disclose data if required by law, court order, or to protect our legal rights and the safety of others.

5. How long we keep your data

• Account & profile data: retained for the duration of your active account, then deleted or anonymised within 90 days of account closure.
• Transaction records (invoices, quotes): retained for the life of your account plus 6 years after closure, as required for financial and tax compliance under UK law (HMRC). Equivalent obligations apply in other jurisdictions.
• Customer records: retained for the duration of your account plus 90 days after closure. You may delete individual customer records at any time within the app.
• Usage & analytics data: aggregated and anonymised after 24 months.
• Support communications: retained for 3 years from the date of last contact.
• OAuth integration tokens: deleted immediately upon disconnection of the relevant accounting integration.
• Push notification tokens: deleted when you uninstall the app, revoke notification permissions, or close your account.

6. Your privacy rights

6a. UK & EU GDPR rights

UK GDPREU GDPRIf you are in the United Kingdom or European Economic Area, you have the following rights:

• Right of access (Art. 15): request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
• Right to erasure / “right to be forgotten” (Art. 17): request deletion of your personal data, subject to legal retention obligations.
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format (CSV/JSON) to transfer to another service.
• Right to restriction of processing (Art. 18): request that we limit how we use your data in certain circumstances.
• Right to object (Art. 21): object to processing based on legitimate interests, including profiling.
• Right to withdraw consent: withdraw consent for marketing emails or push notifications at any time without affecting prior processing.
• Right to lodge a complaint: UK users may complain to the Information Commissioner’s Office (ICO). EU users may complain to their local supervisory authority.

6b. California : CCPA / CPRA rights

CCPA (California)If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to know: request disclosure of the categories and specific pieces of personal information we have collected about you, and the purposes for which we use it.
• Right to delete: request deletion of personal information we have collected, subject to exceptions (e.g. completing a transaction, complying with legal obligations).
• Right to correct: request correction of inaccurate personal information.
• Right to opt out of sale or sharing: we do not sell your personal information and do not share it for cross-context behavioural advertising. There is nothing to opt out of.
• Right to limit use of sensitive personal information: we do not use sensitive personal information beyond what is necessary to deliver the Service.
• Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights.

To exercise your California rights, email privacy@tradespal.co with the subject line “California Privacy Rights Request.” We will verify your identity and respond within 45 days.

6c. Canada : PIPEDA rights

PIPEDA (Canada)If you are in Canada, you have the following rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

• Right of access: request access to your personal information held by us and information about how it has been used and disclosed.
• Right to correction: request correction of inaccurate personal information. If we do not make the correction, you may require us to note the correction was requested.
• Right to withdraw consent: withdraw consent for collection, use, or disclosure of your personal information, subject to legal or contractual restrictions and reasonable notice.
• Right to challenge compliance: challenge our compliance with PIPEDA, including by complaining to the Office of the Privacy Commissioner of Canada.

To exercise your PIPEDA rights, email privacy@tradespal.co with the subject line “PIPEDA Privacy Rights Request.” We will respond within 30 days.

How to submit a rights request (all regions)

Email privacy@tradespal.co with: (1) your name and email address used to register, (2) the right(s) you wish to exercise, and (3) any relevant details. We will verify your identity before acting on any request. We respond within 30 days (45 days for CCPA requests).

7. International data transfers

Tradespal is operated from the United Kingdom. Several of our sub-processors, including Stripe, Vercel, Resend, Twilio, Anthropic, Expo, Intuit, and TikTok, are headquartered in the United States or Singapore. Where we transfer personal data outside the UK or EEA, we rely on appropriate safeguards:

• Standard Contractual Clauses (SCCs): the UK International Data Transfer Agreement (IDTA) or EU SCCs (2021) are in place with all US sub-processors.
• Adequacy decisions: transfers to countries with an adequacy decision by the UK ICO or European Commission proceed on that basis.
• Supabase EU region: where possible, your primary data is stored in Supabase’s EU (Frankfurt) region to minimise cross-border transfers.

8. Public invoice and quote links

When you send an invoice or quote to a customer, we generate a unique, unguessable link (UUID) that allows your customer to view the document and pay without logging in. This link exposes only information you chose to include: your business name and contact, the customer’s name and email, and the line items and amounts. No other personal data is accessible via these links. You should not share them with anyone other than the intended recipient.

9. SMS reminders

If a customer has a mobile number stored in Tradespal and an invoice becomes overdue, we may send an automated SMS reminder on your behalf via Twilio. The customer’s phone number is transmitted to Twilio solely to deliver that message. You can disable SMS reminders in your account settings at any time. You are responsible for ensuring you have a lawful basis to contact your customers by SMS.

10. Accounting integrations (Xero, QuickBooks, FreeAgent)

These integrations are entirely optional. When you connect an accounting platform:

• You are redirected to that platform’s own authorisation page where you grant Tradespal permission to access your account.
• We store OAuth access and refresh tokens securely in our database to sync data on your behalf.
• We push invoice data (numbers, line items, amounts, due dates) and customer contact data (name, email) to the connected platform.
• We do not read, modify, or delete any other data in your accounting account beyond what is needed for invoice and contact sync.
• You can disconnect any integration at any time from Settings → Accounting integrations. On disconnection, we delete your stored tokens immediately.

11. AI pricing suggestions

When you use the AI price suggestion feature, we send the job description text and your trade type to Anthropic to generate suggestions. We do not send customer names, addresses, or any other personally identifiable information to Anthropic. Anthropic’s privacy policy: anthropic.com/privacy.

12. Cookies and tracking technologies

We use the following types of cookies and tracking technologies:

• Essential cookies: required for authentication and session management. These cannot be disabled.
• Analytics cookies: we use Google Analytics (GA4) to understand how visitors use our site. Google Analytics sets cookies to measure page views, session duration, and traffic sources. You can opt out via Google’s opt-out tool.
• Advertising/tracking pixels: we use the Meta (Facebook) Pixel and TikTok Pixel to measure conversions and show relevant ads to people who have visited Tradespal. These pixels set cookies and/or use server-side signals to track activity on our site. Meta: manage ad preferences at facebook.com/adpreferences. TikTok: manage ad preferences at tiktok.com/privacy.
• Performance analytics: Vercel Analytics (cookieless) tracks aggregate site performance without setting cookies.

Our cookie consent banner allows you to accept or decline non-essential cookies. Declining will prevent the Meta Pixel and Google Analytics from loading. Essential cookies will always be active. For a full list of cookies we set, see our Cookie Policy.

13. Security

All data is transmitted over TLS (HTTPS). Passwords are stored as salted one-way hashes via Supabase Auth; we never store plain-text passwords. We apply row-level security on our database so each user can only access their own data. OAuth tokens for accounting integrations are stored encrypted at rest. We review our security practices regularly. If you discover a vulnerability, please email privacy@tradespal.co.

14. Children

Tradespal is a business tool not directed at children under 16 (or 13 in the US). We do not knowingly collect data from anyone under these ages. If you believe we have done so, contact us immediately.

15. Changes to this policy

We may update this policy periodically. For material changes we will notify you by email or in-app notice at least 14 days before the change takes effect. Continued use of Tradespal after the effective date constitutes acceptance of the updated policy. The “Last updated” date at the top of this page always reflects the most recent revision.

16. Contact & complaints

For any privacy question, rights request, or concern:
Email: privacy@tradespal.co
Subject line: include your region (“UK/EU GDPR Request”, “California Privacy Rights Request”, or “PIPEDA Privacy Rights Request”) for faster routing.

Supervisory authorities:

• UK: Information Commissioner’s Office (ICO): ico.org.uk
• EU: Your local data protection authority at edpb.europa.eu
• California: California Privacy Protection Agency: cppa.ca.gov
• Canada: Office of the Privacy Commissioner of Canada: priv.gc.ca