Privacy Policy

Last updated: 28 May 2026

This is a template privacy policy for the TradeRanked beta. It is not a substitute for legal review by a UK SaaS lawyer. We aim to be GDPR / UK GDPR / Data Protection Act 2018 compliant.

1. Who's the controller

TradeRanked is operated from the United Kingdom by the founder. We are the data controller for all data described below. Contact for any privacy question: hello@traderanked.co.uk.

2. What we collect and why

When you sign up

Email address — to log you in, recover your password, and send transactional emails about your account
Business name + trade + (optional) phone, website, bio — shown on your public profile to attract customers
Hashed password (Argon2 — we never see your plain-text password)

When you use the service

Photos you upload — stored on our servers, processed (resized + thumbnails), published on your public job pages
Job details you enter (title, location, materials, bullets) — used to generate AI write-ups and published
Customer consent records — when a homeowner signs off on having photos of their property published
Quote requests left by homeowners on your job pages — name, email, postcode, description — forwarded to you by email

Automatically

Standard server logs: IP address, browser type, requested URL, timestamp — kept 30 days, used for security + debugging only
Session cookies — essential for login. We do not use non-essential / tracking cookies.

When you pay

All payment processing is handled by Stripe. We never see your card details. We do store your Stripe customer ID, subscription ID, current plan, and billing period end date so we can show you the right plan + invoices in our app.

3. Legal bases for processing

Under UK GDPR, every bit of data we process needs a legal basis:

Contract: data needed to provide the service you signed up for (email, password, business profile, photos, job details)
Legitimate interest: server logs for security; transactional emails to keep you informed about your account
Consent: marketing / drip emails — you can unsubscribe via the link in every email or by replying STOP

4. Who we share data with

We use the following sub-processors:

DigitalOcean (UK datacenter) — hosting our servers + database
Stripe — payment processing (PCI-compliant, certified)
Resend — transactional email delivery
Anthropic — AI write-up generation (job details sent for processing; no personal data beyond what's already public on the job page)
Google — Search Console (for SEO), Indexing API (to surface your pages in search)
Plausible Analytics (if enabled) — privacy-preserving visitor stats (no cookies, no personal data)

Each has their own privacy policy and DPA. We never sell your data.

5. International transfers

Some sub-processors (Stripe, Anthropic, Google) are US-based. We rely on the standard contractual clauses adopted by the UK ICO for international transfers, alongside the data adequacy decision for the US Data Privacy Framework (where applicable).

6. How long we keep your data

Account data: while you're a customer + 30 days after deletion (or longer if needed for tax/legal records)
Job content (photos, write-ups): same as account data — deleted with your account
Server logs: 30 days
Billing records: 7 years (UK HMRC requirement)

7. Your rights

Under UK GDPR you have the right to:

Access the personal data we hold about you
Correct anything inaccurate
Have your data deleted ("right to erasure")
Restrict or object to specific processing
Receive a copy of your data in a portable format
Withdraw consent for marketing at any time
Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these, email hello@traderanked.co.uk. We'll respond within 30 days.

8. Security

Passwords are stored hashed with Argon2. All traffic is encrypted in transit via HTTPS (Let's Encrypt). Database backups are taken daily. Admin access requires authentication; we plan to add two-factor authentication for admin accounts before processing live payments. No system is 100% secure — if a breach occurs we'll notify affected users within 72 hours per UK GDPR Article 33.

9. Cookies

We use essential cookies only:

Flask session cookie (login)
CSRF token cookie (form security)

We do not use third-party tracking / advertising cookies. If we ever add them (e.g. Google Analytics, Facebook Pixel), we'll add a cookie consent banner first.

10. Changes to this policy

We'll email registered users about any material change at least 30 days before it takes effect.

11. Contact

hello@traderanked.co.uk