Privacy Policy
Last updated: 21 May 2026
1. Who we are
TradeMatrix ("we", "us", "our") provides CRM software for trade businesses via tradematrixapp.uk and the marketing site at tradematrix.uk.
This Privacy Policy applies to both our marketing website and the TradeMatrix CRM application (together, the "Service").
For personal data relating to your account and use of the Service, we act as a data controller.
For data you upload about your own customers and staff ("Customer Data"), we act as a data processor on your behalf.
Contact: support@tradematrixapp.uk
2. What data we collect
Account & profile data:
- Full name, email address, phone number
- Company name, address, VAT number, UTR, Companies House details
- Password (securely hashed via Supabase Auth)
- Avatar/profile image, working hours, role, pay rate
Billing data:
- Subscription status, plan, seat counts, Stripe customer/subscription IDs
- Payment processing is handled by Stripe — we do not store full card details
- Connected bank account details for Stripe Connect payouts (where used)
Usage & technical data:
- IP address, browser type, device information, operating system
- Log data: timestamps, actions taken, audit trail of CRM changes
- E-signature metadata (printed name, timestamp, IP, user agent) for signed quotes and job completion forms
- Error and performance logs (via Sentry) for diagnosing issues
Customer Data (uploaded by you):
- Customer names, contact details, billing addresses
- Property addresses, geocoordinates, site notes, site photographs
- Quotes, invoices, jobs, scope of work, line items, materials, labour
- Scheduling data, timesheets, payroll inputs
- Compliance documents (RAMS, COSHH, H&S), certifications, equipment register
- Email correspondence sent through the Service
- Uploaded files: job photos, receipts, signed forms, PDFs
Marketing site data:
- Contact form submissions (name, email, message)
- Newsletter sign-ups (where you opt in)
3. Google user data & Limited Use
TradeMatrix offers optional integrations with Google Sign-In, Gmail, and Google Calendar. You may connect these from your account settings; you can disconnect at any time.
3.1 Google Sign-In
When you sign in with Google, we receive your basic profile (name, email address, profile picture) so we can create or match your TradeMatrix account. We do not receive your Google password.
3.2 Gmail integration
If you connect Gmail (for quotes/invoices or marketing sends), we request the gmail.send OAuth scope. We use this access only to send emails on your behalf from within the Service — for example, sending a quote PDF to your customer.
- We do not read your inbox, drafts, or labels.
- We store OAuth refresh tokens encrypted at rest so we can keep sending on your behalf until you disconnect.
- We store a copy of the message we send (recipient, subject, body, timestamp) in your account so it appears on the relevant job/customer record.
3.3 Google Calendar integration
If you connect Google Calendar, we request scopes that let us read your calendars list and create/update events in the calendar you select. We use this only to keep your TradeMatrix jobs and schedules in sync with your Google Calendar.
- We store the calendar ID you select and the IDs of events we have created, so we can update or remove them later.
- We do not read unrelated personal events beyond what is required to detect conflicts you have asked us to check for.
3.4 Limited Use compliance
TradeMatrix's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide and improve the user-facing features you have explicitly requested.
- We do not use Google user data to serve advertisements.
- We do not sell Google user data.
- We do not allow humans to read Google user data unless we have your explicit consent for specific messages, it is necessary for security investigations, to comply with applicable law, or the data has been aggregated and anonymised.
- We do not transfer Google user data to third parties except as necessary to provide the Service, to comply with applicable law, or as part of a merger/acquisition with continued privacy protections.
- We do not use Google user data to train generalised AI/ML models.
3.5 Revoking access
You can disconnect Google integrations at any time from Settings → Email or Settings → Calendar. You can also revoke access directly via myaccount.google.com/permissions. When you disconnect, we delete the stored OAuth tokens.
4. How we use your data
We process personal data under the following lawful bases:
Contractual necessity:
- To provide and operate the Service (CRM, scheduling, invoicing, payments)
- To manage your account, trial, and subscription
- To send emails and calendar events you initiate
Legitimate interests:
- To secure the platform and prevent fraud, abuse, or unauthorised access
- To monitor usage, diagnose errors, and improve features
- To provide customer support
Legal obligation: tax, accounting, and regulatory record-keeping.
Consent: marketing communications, optional Google integrations, optional location/geocoding lookups.
We do not sell personal data and do not use it for third-party advertising.
5. Service-related & marketing communications
We may send you service-related emails (account, billing, security, system updates). These are necessary to operate the Service and cannot be opted out of while you have an active account.
Marketing emails are only sent where you have given explicit consent, and you can unsubscribe at any time via the link in any marketing email or in your settings.
6. Customer Data you upload
You are the data controller for the Customer Data you upload. We act as your data processor and process it only on your documented instructions.
You are responsible for ensuring you have a lawful basis to collect and process this data, and for complying with UK GDPR, PECR, and any other applicable law.
7. Sub-processors & third-party services
We use the following sub-processors to operate the Service:
- Supabase — database, authentication, file storage, edge functions
- Stripe — subscription billing and customer payments
- Mailgun — transactional email delivery
- Google — Sign-In, Gmail send, Calendar sync, Maps/Places (only if you use these features)
- Sentry — error and performance monitoring
- Cloudflare / hosting providers — content delivery and DDoS protection
- OpenAI / Google AI — generating quote scopes and compliance documents from your prompts (your input is not used to train their public models under our enterprise terms)
Your use of any third-party service or integration is also governed by that provider's own terms and privacy policy.
8. Where we store data & international transfers
Customer Data is stored in EU/UK regions where possible. Some sub-processors (e.g. Stripe, Google, Sentry) may process data in the US or other regions.
Where data is transferred outside the UK/EEA, we rely on UK adequacy regulations, the UK International Data Transfer Addendum, and/or Standard Contractual Clauses to ensure equivalent protection.
9. Data retention
- Account and Customer Data are retained for as long as your account is active.
- After account closure, you may export data for up to 30 days. After this, data is deleted from active systems.
- Encrypted backups may persist for up to 90 days before permanent deletion.
- Google OAuth tokens are deleted immediately when you disconnect the integration.
- Invoices, audit logs, and other records required by law are retained for the legally required period (typically 6 years for UK tax records).
10. Security
We implement appropriate technical and organisational measures, including:
- TLS encryption in transit and encryption at rest
- Row-Level Security (RLS) enforcing strict tenant isolation between companies
- Role-based access control with separate Owner, Admin, Staff, and Subcontractor roles
- Encrypted storage of OAuth refresh tokens and other secrets
- Mandatory email verification, HIBP password leak checks, and rate limiting on sensitive endpoints
- Continuous monitoring and logging
If a breach occurs that is likely to result in a risk to your rights and freedoms, we will notify affected users and the ICO without undue delay.
11. Your rights (UK GDPR)
You have the right to access, correct, delete, restrict or object to processing, port your data, and withdraw consent.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).
To exercise your rights, contact support@tradematrixapp.uk.
12. Cookies
For full details, see our Cookie Policy.
13. Children
The Service is not directed to children under 16, and we do not knowingly collect personal data from them.
14. Changes to this policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or in-app notification before they take effect.