CallFlow Trades

Legal

Privacy Policy

Last updated: 23 April 2026

This policy explains how CallFlow Trades Ltd (“we”, “us”) collects and uses personal data when you use the CallFlow Trades platform (the “Service”). We are committed to protecting your privacy and handling personal data in line with UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

1. Who we are

CallFlow Trades Ltd, company number {{COMPANY_NUMBER}}, registered at {{REGISTERED_ADDRESS}}. For privacy-related questions contact privacy@callflowtrades.co.uk. Our ICO registration number is {{ICO_REGISTRATION_NUMBER}}.

2. Two distinct roles

Under UK GDPR we have two separate roles, depending on whose data is being processed:

  • Data controller for personal data about you as a subscriber — your name, email, business details, billing records, usage logs.
  • Data processor for personal data your plumbing business puts into the Service about your own customers — e.g. customer names, phone numbers, addresses, quote and invoice content, SMS and call records. You are the controller of that data. We only process it on your instructions.

3. Personal data we collect about you (the subscriber)

  • Account data: name, email, password hash, role, business name.
  • Business profile: company address, phone, website, VAT number, company number, logo, bank details (for display on your invoices).
  • Billing data: Stripe customer ID, subscription status, invoice history. Full card numbers are held by Stripe, not us.
  • Usage data: sign-in timestamps, IP address, browser user-agent, actions taken in the app (for security and debugging).

4. Personal data you put into the Service

  • Your customers' names, phone numbers, email addresses, postal addresses, job descriptions, quote content, invoice content, and notes you record.
  • Inbound and outbound SMS messages and call metadata (caller number, timestamp, duration) handled via our telephony partner.

You are responsible for having a lawful basis (typically legitimate interest or contract) to hold this information about your customers, and for responding to rights requests from them.

5. Lawful bases

We rely on the following bases under UK GDPR Article 6:

  • Contract — to provide the Service to you and take payment.
  • Legitimate interests — to secure the Service, diagnose faults, prevent abuse, and improve the product. Legitimate-interest balancing test available on request.
  • Legal obligation — for tax records, statutory invoicing, and responding to lawful requests.
  • Consent — for optional marketing emails from us. You can withdraw at any time.

6. Who we share data with (sub-processors)

To operate the Service we use the following processors. Each is contractually bound to protect personal data.

  • Supabase — database, authentication, file storage.
  • Stripe Payments Europe, Ltd. — subscription billing.
  • Twilio Ireland Limited — SMS and voice.
  • Resend (AE Studio, Inc.) — transactional email.
  • Vercel Inc. — hosting and CDN.

Some of these providers may transfer or process data outside the UK. Where they do, we rely on the UK International Data Transfer Agreement or equivalent safeguards.

7. How long we keep data

  • Account data — for the life of your subscription, plus up to 12 months after cancellation so you can resubscribe without loss of data.
  • Billing and tax records — 6 years, as required by HMRC.
  • Content you create (customers, quotes, invoices, messages) — retained while your account is active. You can delete records at any time; on account deletion we delete your content within 30 days except where retention is required by law.
  • Security logs — up to 90 days.

8. Your rights

Under UK GDPR you can ask us to:

  • access a copy of your personal data;
  • correct inaccurate data;
  • erase your data (subject to lawful exceptions such as tax records);
  • restrict processing;
  • port your data to another provider;
  • object to processing based on legitimate interests;
  • withdraw consent for marketing at any time.

Email privacy@callflowtrades.co.ukto exercise any of these rights. We'll respond within one month. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

9. Security

We use TLS in transit, encrypted storage at rest, row-level security in our database, role-based access within your business, and access logging on administrative actions. No system is 100% secure; if we detect a breach that affects you we will notify you in line with our obligations.

10. Cookies

We use strictly necessary cookies to keep you signed in and to maintain session security. We do not use advertising cookies. If we ever add analytics, you'll see a consent banner first.

11. Children

The Service is for business use and is not directed to anyone under 16. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of the page will change. If the update materially affects your rights we will email you at least 14 days before it takes effect.

13. Contact

Questions or requests: email privacy@callflowtrades.co.uk, or write to us at {{REGISTERED_ADDRESS}}.

Terms of ServicePrivacy PolicyBack to home