TradeSheetsBack to Home

Privacy Policy

Last updated: March 9, 2026

1. Introduction

TradeSheet ("we", "our", or "us") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our job management, invoicing, and electrical certification platform (the "Platform").

This policy applies to: (a) business customers ("Customers") who register for the Platform; (b) individual users ("Authorised Users") who access the Platform under a Customer's account; and (c) visitors to our website and contact forms. For definitions of these terms, please see our Terms of Service.

2. Our Role: Data Controller vs Data Processor

TradeSheet acts in two distinct roles depending on the type of data:

  • Data Controller — for account registration data, billing information, website visitor data, and contact form submissions. We determine the purposes and means of processing this data.
  • Data Processor — for Customer Data and End Client Data (i.e. client records, job data, certificates, invoices, and other business data that Customers store on the Platform). The Customer is the Data Controller for this data; we process it only on their behalf and in accordance with their instructions to operate the Platform.

3. Information We Collect

3.1 Account & Registration Data (Controller)

When a Customer registers or an Authorised User is invited, we collect:

  • Name, email address, and password (hashed)
  • Company name, business type, and registered address
  • Country, VAT number or EIN (where provided)
  • Mobile phone number (where voluntarily provided)
  • Role and permissions within the organisation

3.2 Customer Data (Processor)

Customers and their Authorised Users input business data into the Platform, which may include:

  • Client/customer records (names, addresses, contact details)
  • Job and project information (descriptions, schedules, locations)
  • Electrical certification documents and inspection records
  • Quotes, invoices, and payment records
  • Timesheets and attendance data
  • Internal messages and chat communications
  • Photos, documents, and file attachments

We process this data solely to provide the Platform. The Customer is the Data Controller and is responsible for ensuring they have appropriate lawful bases and privacy notices for the personal data they store.

3.3 Billing Data (Controller)

  • Payment card details are collected and processed directly by Stripe — we do not store card numbers
  • We store Stripe customer IDs, subscription status, and billing history

3.4 Usage & Technical Data (Controller)

  • Device type, operating system, and app version
  • IP address and approximate location (for security and rate limiting)
  • Feature usage patterns and error logs (anonymised where possible)
  • Push notification tokens (for delivering notifications)

3.5 Contact Form & Website Visitor Data (Controller)

  • Name, email, mobile number, company name, and message content submitted via our contact form
  • SMS consent status (where provided)

4. How We Use Your Information

4.1 To Provide the Platform

  • Authenticate users and manage account access
  • Process, store, and synchronise Customer Data across devices
  • Generate certificates, invoices, quotes, and reports
  • Enable real-time collaboration, messaging, and notifications
  • Process payments and manage subscriptions via Stripe

4.2 To Communicate With You

  • Send transactional emails (account verification, password resets, billing receipts)
  • Send transactional SMS notifications (job updates, appointment reminders, quote information) where you have opted in — we do not send marketing SMS
  • Deliver push notifications for in-app events (where enabled on your device)
  • Respond to support enquiries and contact form submissions

4.3 To Maintain & Improve the Platform

  • Monitor performance, detect errors, and troubleshoot issues
  • Analyse anonymised, aggregated usage patterns to improve features
  • Enforce security, prevent abuse, and protect against fraud

4.4 To Comply With Legal Obligations

  • Respond to valid legal requests, court orders, or regulatory requirements
  • Maintain records required by tax, accounting, or other legislation

5. Lawful Basis for Processing

Under UK GDPR and EU GDPR, we rely on the following lawful bases for processing personal data where we act as Data Controller:

  • Contract: Processing necessary to perform our contract with the Customer (account management, service delivery, billing)
  • Legitimate Interest: Processing necessary for our legitimate business interests (security, fraud prevention, service improvement) where these do not override your rights
  • Consent: Where you have given specific consent (e.g. SMS notifications). You may withdraw consent at any time
  • Legal Obligation: Where processing is required to comply with applicable law

Where we act as Data Processor (for Customer Data), we process on the Customer's instructions. The Customer is responsible for establishing their own lawful basis for the personal data they store.

6. Data Sharing & Disclosure

We do not sell personal data. We do not share Customer Data with third parties for their marketing purposes. We may share information only in the following circumstances:

  • Sub-processors: With the third-party service providers listed in our Terms of Service (Section 10) who assist in delivering the Platform, under strict data processing agreements
  • Legal compliance: Where required by law, regulation, or valid legal process
  • Safety & rights: To protect the rights, safety, or property of TradeSheet, our customers, or the public
  • Business transfer: In connection with a merger, acquisition, or sale of assets, in which case the acquiring entity would be bound by this Privacy Policy

7. SMS Communications

If you provide your mobile phone number and consent to SMS communications, we may send you transactional text messages related to:

  • Responses to your service enquiries
  • Job status updates and notifications
  • Appointment reminders and schedule changes
  • Quote and invoice information

These messages are strictly transactional and service-related. We do not send marketing or promotional SMS messages. Message frequency varies based on your account activity. Message and data rates may apply depending on your mobile carrier.

You may opt out of SMS notifications at any time by replying STOP to any message, or by contacting us. Opting out of SMS will not affect your ability to use the Platform. We do not share your mobile number with third parties for their marketing purposes. Our SMS service is provided through Twilio, who processes messages on our behalf under a data processing agreement. Full SMS terms are available at our SMS Terms & Conditions.

8. International Data Transfers

Our primary infrastructure is hosted in the EU/UK. Some sub-processors (e.g. Stripe, Firebase, Apple) may process data in the United States or other jurisdictions. Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or the sub-processor's participation in recognised transfer mechanisms. You can request details of the specific safeguards in place by contacting us.

9. Data Retention

We retain data according to the following schedule:

  • Active accounts: Data is retained for as long as the Customer's account remains active
  • After termination: Customer Data is available for export for 30 days, then deleted from active systems within 90 days. Encrypted backup copies are overwritten in the normal rotation cycle
  • Billing records: Retained for 7 years as required by tax and accounting regulations
  • Contact form submissions: Retained for 2 years unless deleted earlier upon request
  • Security logs: Retained for up to 12 months for security and fraud prevention

10. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Password hashing using bcrypt with appropriate salt rounds
  • Role-based access controls and JWT-based authentication
  • Logical multi-tenant data isolation at the application and database level
  • Regular security updates and dependency monitoring
  • Automated database backups

No system is completely secure. In the event of a data breach that affects personal data, we will notify affected Customers and the relevant supervisory authority (e.g. the ICO) as required by applicable law, without undue delay.

11. Your Rights

Under UK GDPR and EU GDPR, you have the following rights in relation to personal data where we act as Data Controller:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate or incomplete data
  • Erasure: Request deletion of your personal data (subject to legal retention obligations)
  • Restriction: Request that we restrict processing in certain circumstances
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interest
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at hello@tradesheet.app. We will respond within 30 days (or as required by law).

For End Client Data: If you are a client of one of our Customers and wish to exercise your data rights, please contact the Customer directly. They are the Data Controller for your data. If you are unable to reach the Customer, you may contact us and we will assist in directing your request.

You also have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

12. Children's Privacy

The Platform is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.

13. Cookies & Tracking

Our website and web application use essential cookies required for authentication and session management. We do not use third-party advertising cookies or cross-site tracking. We do not use the Platform to build advertising profiles or share browsing data with ad networks.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide notice via email to account owners or through an in-app notification at least 30 days before the changes take effect. We will update the "Last updated" date at the top of this page. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: