Privacy Policy

1. Who we are (data controller)

TradeWren is the data controller for the personal data described in this policy. For most data you enter about your own customers, suppliers and staff while using the service, you are the controller and we act as your data processor — we only process that data on your instructions to provide the service to you.

If you have any questions about this policy or how we handle your data, contact us at privacy@api.tradewren.com.

2. Information we collect

We collect the following categories of personal data:

• Account data — the name, email address, password (stored only as a secure hash) and company details you provide when you register or are invited to an account.
• Business and customer data — the records you create in the app, such as clients, enquiries, quotes, jobs, invoices, notes and communications. This may include personal data about your own customers and contacts.
• Billing data — your subscription plan, billing interval, currency and billing status. Card and bank details are collected and stored by our payment providers, not by us.
• Usage and technical data — IP address, browser and device type, pages viewed, and actions taken in the app, collected to operate, secure and improve the service.
• Communications — messages you send to us (e.g. support requests) and email we send on your behalf where you have configured outgoing email.

3. How we use your data and our lawful bases

We process personal data on the following lawful bases under UK GDPR:

• To perform our contract with you — creating and managing your account, providing the features you subscribe to, processing payments and providing support (Article 6(1)(b)).
• For our legitimate interests — securing the platform, preventing fraud and abuse, understanding how the service is used, and improving and developing our product, in a way that does not override your rights (Article 6(1)(f)).
• To comply with legal obligations — for example tax, accounting and record-keeping requirements (Article 6(1)(c)).
• With your consent — for any optional communications or non-essential cookies, which you can withdraw at any time (Article 6(1)(a)).

4. Cookies and similar technologies

We use a small number of strictly necessary and functional cookies to keep you signed in, secure the service and remember your preferences. We do not use advertising or cross-site tracking cookies. For full details, see our Cookie Policy.

5. Who we share your data with

We do not sell your personal data. We share it only with the service providers (processors) needed to run the platform, each under a contract that requires them to protect it and use it only on our instructions:

• Payment providers (such as Stripe and PayPal) to process subscription payments securely. Their handling of card data is governed by their own privacy notices.
• Email and messaging providers used to deliver transactional email (such as account, billing and notification emails) and, where you configure it, to send email on your behalf.
• Cloud hosting and infrastructure providers that host the application and database within the UK or European Economic Area.
• Professional advisers, regulators or law enforcement where we are legally required to disclose information.

6. International transfers

We aim to keep personal data within the UK and the European Economic Area (EEA). Where a provider processes data outside the UK/EEA, we ensure an appropriate safeguard is in place — such as a UK adequacy regulation or the International Data Transfer Agreement (or the EU Standard Contractual Clauses with the UK Addendum) — so your data receives an equivalent level of protection.

7. How long we keep your data

We keep personal data only for as long as we need it. Account and business records are retained for the life of your account and for a reasonable period afterwards to handle queries, disputes and our legal obligations. Billing and tax records are kept for at least six years to meet UK accounting requirements. When data is no longer needed, we securely delete or anonymise it.

8. How we protect your data

We use technical and organisational measures appropriate to the risk. These include strict per-tenant data isolation so each business only ever sees its own data, encryption of sensitive fields (such as credentials and bank details) at rest, encryption in transit over HTTPS, hashed passwords, access controls, and breached-password checks on sign-up. No system can be guaranteed perfectly secure, but we work continuously to protect your information.

9. Your rights

Under UK GDPR you have the right to:

• Be informed about how your data is used (this policy).
• Access a copy of the personal data we hold about you (a subject access request).
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten") where it is no longer needed.
• Restrict or object to certain processing.
• Data portability — receive your data in a structured, commonly used, machine-readable format.
• Withdraw consent at any time where we rely on consent.

10. Exercising your rights and complaints

To exercise any of these rights, email us at privacy@api.tradewren.com. We will respond within one month. If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk, though we would welcome the chance to resolve your concern first.

11. Children

Our service is a business tool intended for use by organisations and is not directed at children. We do not knowingly collect personal data from anyone under 16.

12. Changes to this policy

We may update this policy from time to time. When we make material changes we will update the "last updated" date above and, where appropriate, notify you in the app or by email. Please review it periodically.

13. Contact us

If you have any questions about this Privacy Policy or wish to exercise your rights, contact us at privacy@api.tradewren.com.