Privacy Policy

Last updated: 10 April 2026

1. Who we are

Traddie is owned by Eris Technology Solutions. When we say "we", "our", or "us", we mean Eris Technology Solutions, which operates the Traddie mobile application (iOS and web) and the website at gettraddie.com (the "Service"). We are the data controller for the personal data we collect through the Service.

You can contact us at hello@gettraddie.com for any privacy-related questions.

2. Introduction

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. It applies to all users of the Traddie app and website. Please read it carefully.

By using the Service, you agree to the collection and use of your information in accordance with this policy. If you do not agree, please do not use the Service.

3. Information we collect

Information you provide

When you register and use the Service, we may collect:

  • Name, email address, and phone number
  • Business information (company name, address, VAT number, CIS UTR where applicable)
  • Payment and billing details (processed by Stripe; we do not store full card numbers)
  • Customer, quote, job, and invoice data you enter into the Service
  • Communications you send to us (e.g. support requests)

Information collected automatically

When you access the Service, we may automatically collect:

  • Device type, operating system, and unique device identifiers
  • IP address and general location
  • Usage data (e.g. features used, frequency of use) to improve the Service

Information from third parties

If you connect accounting or payment integrations (e.g. Xero, QuickBooks, FreeAgent, Stripe, HMRC), we receive only the data necessary to sync your workflow (e.g. chart of accounts, payment status, VAT obligations). We do not receive or store your login credentials for those services — we hold short-lived OAuth tokens instead.

4. How we use your information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Create and manage your account and authenticate you
  • Process payments and send invoices, quotes, and related communications
  • Sync data with your chosen accounting and payment providers
  • Send you service-related notices (e.g. security alerts, product updates)
  • Respond to your enquiries and provide customer support
  • Improve the Service, fix errors, and develop new features
  • Submit VAT returns and CIS returns to HMRC on your instruction, and keep the statutory records that UK tax law requires
  • Protect against fraud, abuse, and misuse of the Service

We do not sell your personal information to third parties. We do not use your data for advertising or profiling for marketing purposes.

5. Legal basis (UK GDPR)

We process your personal data on the following bases:

  • Contract: To perform our contract with you (providing the Service you have signed up for).
  • Legitimate interests: To run and improve our business, prevent fraud, and ensure security, where this does not override your rights.
  • Legal obligation: Where UK law requires us to process or retain data — in particular the VAT Act 1994, Finance Act 2004 (CIS), Finance Act 2020 Schedule 14 (Making Tax Digital), the Commissioners for Revenue and Customs Act 2005, and the Taxes Management Act 1970. Section 6 below sets out exactly what we process under this basis.
  • Consent: Where we have asked for your consent (e.g. marketing emails). You can withdraw consent at any time.

6. HMRC and UK tax data

Traddie helps you meet HMRC obligations — submitting VAT returns under Making Tax Digital (MTD), running the Construction Industry Scheme (CIS), and keeping the records UK tax law requires. Because this is legally sensitive, we want to be specific about exactly what we process, why, and for how long.

HMRC as an independent data controller

When we send data to HMRC on your behalf — a VAT obligations query, a VAT return submission, a CIS300 return, or the fraud-prevention headers HMRC requires on every MTD API call — HMRC processes that data as an independent data controller under its own statutory powers (primarily the Commissioners for Revenue and Customs Act 2005). We are not a joint controller with HMRC and we are not responsible for how HMRC uses the data once it has been lawfully transmitted. HMRC's own privacy notice is at gov.uk/hmrc/privacy-notice.

What we process, why, and the law that applies

Each row below is a distinct HMRC-related processing activity. For each one we list the data, where it lives, our lawful basis, and the UK law involved.

1. HMRC OAuth tokens (VAT MTD connection)

  • What: encrypted access token, refresh token, expiry timestamp
  • Stored in: integration_connections — encrypted at column level using pgcrypto; only decryptable by our service role
  • Why: so Traddie can call HMRC's MTD API on your behalf when you submit a VAT return
  • Lawful basis: Contract — we cannot deliver the MTD feature you signed up for without this connection
  • Minimisation: tokens are the minimum credential HMRC's API accepts; stored encrypted; deleted immediately when you disconnect HMRC, when a workspace is closed, when your account is deleted, or when our automated policy clears stale connections (see retention policy)

2. VAT registration number (VRN)

  • What: your 9-digit VAT number
  • Stored in: businesses.vat_number
  • Why: to identify your business to HMRC on VAT obligations queries and return submissions
  • Lawful basis: Legal obligation — the VAT Act 1994 and Finance Act 2020 Schedule 14 (Making Tax Digital for VAT) require a VAT-registered business to quote its VRN on every MTD-compatible submission
  • Minimisation: single field; only used when MTD is enabled

3. Unique Taxpayer Reference (UTR) for CIS

  • What: your 10-digit CIS UTR; where you operate as a contractor, your subcontractors' UTRs and the CIS verification rate HMRC returned
  • Stored in: businesses.cis_utr, customers.cis_utr, customer_cis_verifications
  • Why: to submit CIS300 monthly returns and apply the correct deduction rate (0%, 20%, or 30%) on every subcontractor payment
  • Lawful basis: Legal obligation — Finance Act 2004 Chapter 3 and the Income Tax (Construction Industry Scheme) Regulations 2005 require contractors to verify subcontractors with HMRC and report UTRs on the monthly return
  • Minimisation: we only store UTRs for counterparties you actually pay under CIS; we do not enrich or cross-reference UTRs with any other data

4. CIS deduction figures on invoices and returns

  • What: labour amount, materials amount, deduction rate, deduction amount, gross amount, tax-point date, "paid to HMRC" flag, "reported in return" flag; plus the monthly totals you filed
  • Stored in: invoices (the CIS columns), cis_return_versions, cis_monthly_statements, and an append-only cis_audit_log
  • Why: to calculate what you owe HMRC each CIS period and produce the monthly statement you must issue to each subcontractor
  • Lawful basis: Legal obligation — the CIS regulations require contractors to keep records of every payment, deduction, and statement issued
  • Minimisation: the amounts already exist on your invoices; CIS columns just break them out — no new personal data is introduced

5. VAT return figures (MTD submissions)

  • What: the 9 VAT return boxes, the obligation period, and the HMRC submission receipt
  • Stored in: an append-only vat_compliance_audit log; the underlying figures come from invoices.vat_amount and invoice_line_items.vat_amount
  • Why: to file the return via MTD and keep a tamper-evident audit trail of what was submitted and when
  • Lawful basis: Legal obligation — VAT Act 1994 s.25 and the VAT (Amendment) Regulations 2018 require digital record-keeping and preservation of VAT return data
  • Minimisation: we store the 9 boxes and a reference back to the line items, not a duplicate copy of every invoice

6. HMRC fraud-prevention headers

  • What: device type, operating system, public IP address, screen resolution, timezone, your user ID and email, browser user-agent — generated per request and sent with every HMRC MTD API call
  • Stored in: not stored by Traddie — these headers are built in memory per request and transmitted to HMRC only
  • Why: HMRC's Fraud Prevention Specification mandates these headers on every MTD API call; submissions without them are rejected
  • Lawful basis: Legal obligation — HMRC's Fraud Prevention Specification is issued under the Commissioners for Revenue and Customs Act 2005 and is a precondition of using the MTD API
  • Minimisation: we send only the fields HMRC's specification requires; nothing is persisted on our side

7. Compliance profile and deadline reminders

  • What: business structure, VAT scheme and quarter end, CIS status, self-assessment flag, company year-end, upcoming tax deadlines
  • Stored in: user_compliance_profile, compliance_deadlines
  • Why: to show you the right reminders and run the right calculations
  • Lawful basis: Contract — this is configuration you provide so we can run the features you signed up for
  • Minimisation: every field is optional and you can clear it at any time

Retention of HMRC-related records

UK tax law requires us (and you) to keep tax records for a minimum of six years from the end of the relevant tax year that they relate to (the period HMRC and the Finance Acts align with for VAT, income tax, and CIS record‑keeping—not six years from today’s date alone). The main provisions include VAT Act 1994 s.58 and Schedule 11 paragraph 6, Finance Act 1998 Schedule 18, and Taxes Management Act 1970 s.12B. This retention applies to:

  • VAT returns and the invoices and line items that support them
  • CIS returns, deduction records, and the monthly statements issued to subcontractors
  • The append-only vat_compliance_audit and cis_audit_log trails of HMRC-related actions

If you close your Traddie account inside that six-year window, we retain the HMRC-related records (anonymising personal identifiers on the surrounding data where we can) until the statutory period has passed, then delete them. Everything else on your account is deleted or anonymised on closure.

Your rights where we rely on Legal Obligation

Under UK GDPR, some of your rights are limitedwhen our lawful basis is Legal Obligation (as set out in the ICO's guide to this basis):

  • The right of erasure does not apply to records we are legally required to keep (the VAT return we filed, CIS monthly statements, the six-year tax trail)
  • The right to object does not apply to legal-obligation processing
  • The right to data portability does not apply to legal-obligation processing

You still have the right of access and rectification for HMRC-related records we hold about you, and you can complain to the ICO if you believe we are processing more data than UK tax law requires. Your rights under Contract-basis processing (portability, erasure on account closure, etc.) are unaffected for everything outside this section.

7. Data storage and security

Your data is stored in the United Kingdom using Supabase on Amazon Web Services (AWS) in the eu-west-2 (London) region. Data is encrypted in transit (TLS) and at rest (AES-256). HMRC OAuth tokens are additionally encrypted at the column level using pgcrypto, so they cannot be read even by someone with direct database access without the service-role key. We use industry-standard security practices to protect your information from unauthorised access, alteration, disclosure, or destruction.

Payment card data is handled by Stripe and is subject to Stripe's privacy policy and PCI DSS compliance. We do not store full card numbers on our servers.

8. Data retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After you close your account, we may retain certain data for a limited period to comply with legal obligations (e.g. tax, HMRC), resolve disputes, enforce our agreements, and for legitimate business purposes. After that, we delete or anonymise your data.

Tax and invoice records (UK): Where you use Traddie for invoicing, VAT, CIS, or expenses, the statutory six-year retention in section 6 above applies. If you exercise your right to erasure under UK GDPR, we will remove or anonymise personal identifiers where possible while retaining the underlying tax records where we have a legal obligation to do so. You can download a JSON export of your financial data from the app before closing your account where this is available.

You may request deletion of your personal data at any time (see "Your rights" below). We will honour such requests where we are not required to retain the data by law.

9. Sharing and third-party services

We may share your information with:

  • Service providers that help us operate the Service (e.g. hosting, email, analytics). They are contractually required to protect your data and use it only for the purposes we specify.
  • Payment processing: Stripe (for card payments). Stripe's privacy policy applies to their processing.
  • Accounting and tax integrations: If you choose to connect Xero, QuickBooks, FreeAgent, or HMRC, we send only the data you have authorised for sync or submission. Their privacy policies (and, for HMRC, its role as an independent controller — see section 6) apply to their handling of that data.
  • Legal and regulatory: Where required by law (e.g. court order, HMRC) or to protect our rights, safety, or property.

We do not sell or rent your personal information to third parties for their marketing purposes.

10. International transfers

Your data is stored and processed in the United Kingdom (and within the European Economic Area via AWS). We do not routinely transfer your personal data outside the UK/EEA. If we ever do, we will ensure appropriate safeguards (e.g. standard contractual clauses or adequacy decisions) are in place as required by UK GDPR.

11. Children's privacy

The Service is not directed at anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us at hello@gettraddie.com and we will delete it promptly.

12. Your rights (UK GDPR)

You have the right to:

  • Access the personal data we hold about you
  • Rectification of inaccurate or incomplete data
  • Erasure ("right to be forgotten") in certain circumstances
  • Restrict processing in certain circumstances
  • Data portability (receive your data in a structured, machine-readable format)
  • Object to processing based on legitimate interests or for direct marketing
  • Withdraw consent where we rely on consent

Some of these rights are limited where we process data under Legal Obligation — see section 6 for the detail on HMRC and UK tax records. To exercise any of these rights, contact us at hello@gettraddie.com. We will respond within one month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK: ico.org.uk/make-a-complaint.

13. Cookies and similar technologies

Our website may use cookies and similar technologies (e.g. local storage) to keep you signed in, remember your preferences, and understand how the site is used. You can control cookies through your browser settings. Disabling certain cookies may affect how the website works.

Our mobile app may use local storage and identifiers necessary for the app to function (e.g. session tokens). We do not use cross-app tracking for advertising.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date. For material changes, we will notify you by email or through the Service where appropriate. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

15. Contact us

For questions about this Privacy Policy, your personal data, or to exercise your rights, contact us:

Email: hello@gettraddie.com
Website: https://www.gettraddie.com

Terms of Service · Home