Privacy Policy
Last updated: 6 July 2026
1. Who we are
Traddie is operated by Eris Technology Solutions Ltd, a company registered in Scotland (company number SC857789). When we say "we", "our", or "us", we mean Eris Technology Solutions Ltd, which provides the Traddie mobile applications (iOS and Android) and the website and web app at gettraddie.com (the "Service"). We are the data controller for the personal data we collect about you through the Service.
Registered office: 210 A/B C/O BRS Pentagon Centre, 36–38 Washington Street, Glasgow, G2 8AZ, United Kingdom.
For any privacy-related questions, or to exercise your rights, contact us at support@gettraddie.com.
2. Introduction
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. It applies to all users of the Traddie apps and website. Please read it carefully.
By using the Service, you agree to the collection and use of your information in accordance with this policy. If you do not agree, please do not use the Service.
3. Information we collect
Information you provide
When you register and use the Service, we may collect:
- Name, email address, and phone number
- Business information (company name, address, VAT number, CIS UTR where applicable)
- Payment and billing details (processed by Stripe; we do not store full card numbers)
- Customer, quote, job, invoice, and expense data you enter into the Service
- Communications you send to us (e.g. support requests)
Information collected automatically
When you access the Service, we (and the providers in section 7) may automatically collect:
- Device type, operating system, browser, and unique device identifiers
- IP address and the general (approximate, city-level) location derived from it
- Product-usage data — pages and screens viewed, features used, and actions taken — to understand and improve the Service
- Session recordings (a replay of your interactions with the app or website) — see section 7 for what is captured, how it is masked, and how to turn it off
- Diagnostic and crash data when something goes wrong, so we can fix it
Information from third parties
If you connect accounting or payment integrations (e.g. Xero, QuickBooks, FreeAgent, Stripe, GoCardless, HMRC), we receive only the data necessary to sync your workflow (e.g. chart of accounts, payment status, VAT obligations). We do not receive or store your login credentials for those services — we hold short-lived OAuth tokens instead.
If you connect your Google Business Profile, we receive information about the business locations you manage — profile details, reviews, and performance insights — so we can show you your online presence and how to improve it. Section 12 sets out exactly what Google data we access, how we use and store it, and how to disconnect.
4. Your customers' and contacts' data
Traddie is a tool for tradespeople to run their business. When you add your own customers, suppliers, or contacts to the Service — their names, addresses, contact details, and the quotes, jobs, and invoices relating to them — you are the data controller for that information and Traddie acts as your data processor. We process it only to provide the Service to you and on your instructions.
You are responsible for having a lawful basis to enter that personal data and for telling your own customers how their data is used. If you need a data processing agreement covering this, contact us at support@gettraddie.com.
5. How we use your information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Create and manage your account and authenticate you
- Process payments and send invoices, quotes, and related communications
- Sync data with your chosen accounting and payment providers
- Send you service-related notices (e.g. security alerts, product updates)
- Respond to your enquiries and provide customer support
- Understand how the Service is used, fix errors, keep it secure, and develop new features (see section 7)
- Submit VAT returns and CIS returns to HMRC on your instruction, and keep the statutory records that UK tax law requires
- Protect against fraud, abuse, and misuse of the Service
We do not sell your personal information to third parties. We do not use your data for advertising, and we do not track you across other companies' apps or websites.
6. Legal basis (UK GDPR)
We process your personal data on the following bases:
- Contract: To perform our contract with you (providing the Service you have signed up for).
- Legitimate interests: To run, secure, and improve our business and the Service — including product analytics and error monitoring in our mobile apps, and fraud prevention — where this does not override your rights. You can object or opt out as described in sections 7 and 15.
- Consent: Where we ask for it — in particular non-essential analytics cookies and session recording on our website (via the cookie banner), and any marketing emails. You can withdraw consent at any time.
- Legal obligation: Where UK law requires us to process or retain data — in particular the VAT Act 1994, Finance Act 2004 (CIS), Finance Act 2020 Schedule 14 (Making Tax Digital), the Commissioners for Revenue and Customs Act 2005, and the Taxes Management Act 1970. Section 8 below sets out exactly what we process under this basis.
7. Analytics, session replay & error monitoring
To understand how Traddie is used, find problems, and improve the product, we use privacy-conscious product analytics and error monitoring. We do not use these tools for advertising or to build marketing profiles, and we do not track you across other companies' services.
Product analytics and session replay (PostHog)
We use PostHog as our product-analytics provider. PostHog data is hosted in the European Union (Frankfurt, Germany) on PostHog's EU Cloud. Through PostHog we collect: the events described in section 3 (screens and pages viewed, features used, actions taken), device, operating system and browser information, and approximate location derived from your IP address. We also use PostHog session replay, which records a playback of your interactions with the Service so we can see where people get stuck.
We configure session replay to mask on-screen content by default, across both our website and mobile apps: all text and form inputs are masked (so we do not capture names, addresses, amounts, or anything you type), and images, photos, and signature pads are blocked. Recording is consent-based on the website and can be switched off in the apps (see below), and recordings are retained for a limited period only — currently 30 days — after which they are deleted. Aggregated and event analytics are retained for no longer than necessary, and in any case no more than 12 months in identifiable form.
Error and crash monitoring (Sentry)
We use Sentry to capture errors and crashes so we can keep the Service stable and secure. Sentry data is hosted in the European Union (Germany). Error reports include diagnostic context such as device, operating system, and a technical stack trace. We scrub passwords, API keys, and similar secrets, and minimise personal data in these reports. We rely on our legitimate interest in keeping the Service working and secure.
Your choices
- Website: analytics and session replay are off until you accept them in the cookie banner. You can decline (the Service still works) and you can change your mind at any time by clearing the choice in your browser.
- Mobile apps: analytics and session replay are on by default (our legitimate interest) but you can turn them off at any time under Settings → Your data & GDPR. Turning the toggle off stops all analytics and recording on that device.
- Apple App Tracking Transparency: because we do not track you across other companies' apps or websites, the iOS "Allow tracking" prompt does not apply to this processing.
8. HMRC and UK tax data
Traddie helps you meet HMRC obligations — submitting VAT returns under Making Tax Digital (MTD), running the Construction Industry Scheme (CIS), and keeping the records UK tax law requires. Because this is legally sensitive, we want to be specific about exactly what we process, why, and for how long.
HMRC as an independent data controller
When we send data to HMRC on your behalf — a VAT obligations query, a VAT return submission, a CIS300 return, or the fraud-prevention headers HMRC requires on every MTD API call — HMRC processes that data as an independent data controller under its own statutory powers (primarily the Commissioners for Revenue and Customs Act 2005). We are not a joint controller with HMRC and we are not responsible for how HMRC uses the data once it has been lawfully transmitted. HMRC's own privacy notice is at gov.uk/hmrc/privacy-notice.
What we process, why, and the law that applies
Each row below is a distinct HMRC-related processing activity. For each one we list the data, where it lives, our lawful basis, and the UK law involved.
1. HMRC OAuth tokens (HMRC connection)
- What: encrypted access token, refresh token, expiry timestamp
- Stored in:
integration_connections— encrypted at column level using pgcrypto; only decryptable by our service role - Why: so Traddie can call HMRC's MTD API on your behalf when you submit a VAT return or a Making Tax Digital Income Tax quarterly update
- Lawful basis: Contract — we cannot deliver the MTD feature you signed up for without this connection
- Minimisation: tokens are the minimum credential HMRC's API accepts; stored encrypted; deleted immediately when you disconnect HMRC, when a workspace is closed, when your account is deleted, or when our automated policy clears stale connections (see retention policy)
2. VAT registration number (VRN)
- What: your 9-digit VAT number
- Stored in:
businesses.vat_number - Why: to identify your business to HMRC on VAT obligations queries and return submissions
- Lawful basis: Legal obligation — the VAT Act 1994 and Finance Act 2020 Schedule 14 (Making Tax Digital for VAT) require a VAT-registered business to quote its VRN on every MTD-compatible submission
- Minimisation: single field; only used when MTD is enabled
3. Unique Taxpayer Reference (UTR) for CIS
- What: your 10-digit CIS UTR; where you operate as a contractor, your subcontractors' UTRs and the CIS verification rate HMRC returned
- Stored in:
businesses.cis_utr,customers.cis_utr,customer_cis_verifications - Why: to submit CIS300 monthly returns and apply the correct deduction rate (0%, 20%, or 30%) on every subcontractor payment
- Lawful basis: Legal obligation — Finance Act 2004 Chapter 3 and the Income Tax (Construction Industry Scheme) Regulations 2005 require contractors to verify subcontractors with HMRC and report UTRs on the monthly return
- Minimisation: we only store UTRs for counterparties you actually pay under CIS; we do not enrich or cross-reference UTRs with any other data
4. CIS deduction figures on invoices and returns
- What: labour amount, materials amount, deduction rate, deduction amount, gross amount, tax-point date, "paid to HMRC" flag, "reported in return" flag; plus the monthly totals you filed
- Stored in:
invoices(the CIS columns),cis_return_versions,cis_monthly_statements, and an append-onlycis_audit_log - Why: to calculate what you owe HMRC each CIS period and produce the monthly statement you must issue to each subcontractor
- Lawful basis: Legal obligation — the CIS regulations require contractors to keep records of every payment, deduction, and statement issued
- Minimisation: the amounts already exist on your invoices; CIS columns just break them out — no new personal data is introduced
5. VAT return figures (MTD submissions)
- What: the 9 VAT return boxes, the obligation period, and the HMRC submission receipt
- Stored in:
vat_return_submissions(the submitted boxes and HMRC receipt) and an append-onlyvat_compliance_auditlog; the underlying figures come frominvoices.vat_amountandinvoice_line_items.vat_amount - Why: to file the return via MTD and keep a tamper-evident audit trail of what was submitted and when
- Lawful basis: Legal obligation — VAT Act 1994 s.25 and the VAT (Amendment) Regulations 2018 require digital record-keeping and preservation of VAT return data
- Minimisation: we store the 9 boxes and a reference back to the line items, not a duplicate copy of every invoice
6. HMRC fraud-prevention headers
- What: device type, operating system, public IP address, screen resolution, timezone, your user ID and email, browser user-agent — generated per request and sent with every HMRC MTD API call
- Stored in: not stored by Traddie — these headers are built in memory per request and transmitted to HMRC only
- Why: HMRC's Fraud Prevention Specification mandates these headers on every MTD API call; submissions without them are rejected
- Lawful basis: Legal obligation — HMRC's Fraud Prevention Specification is issued under the Commissioners for Revenue and Customs Act 2005 and is a precondition of using the MTD API
- Minimisation: we send only the fields HMRC's specification requires; nothing is persisted on our side
7. Making Tax Digital for Income Tax records (National Insurance number and quarterly updates)
- What: your National Insurance number, your HMRC self-employment business ID, the cumulative quarterly income and expense totals you submit, HMRC's submission references, and the tax calculations HMRC returns
- Stored in:
itsa_identifiers(your National Insurance number — encrypted at the column level and locked down so it is never readable by app clients; the app only ever sees a masked value likeQQ******C),itsa_submissions,itsa_calculations, and an append-onlyhmrc_audit_log - Why: HMRC's Income Tax API identifies taxpayers by National Insurance number; the submission and calculation records are the statutory evidence of what was filed and when
- Lawful basis: Legal obligation — the Income Tax (Digital Requirements) Regulations 2021 and Taxes Management Act 1970 s.12B require digital records and quarterly updates under Making Tax Digital for Income Tax
- Minimisation: HMRC receives category totals only — your individual invoices, receipts and customers are never transmitted in a quarterly update; the National Insurance number is used solely for HMRC filing and never appears in analytics, logs, or support tooling
8. Compliance profile and deadline reminders
- What: business structure, VAT scheme and quarter end, CIS status, self-assessment flag, company year-end, upcoming tax deadlines
- Stored in:
user_compliance_profile,compliance_deadlines - Why: to show you the right reminders and run the right calculations
- Lawful basis: Contract — this is configuration you provide so we can run the features you signed up for
- Minimisation: every field is optional and you can clear it at any time
Retention of HMRC-related records
UK tax law requires us (and you) to keep tax records for a minimum of six years from the end of the relevant tax year that they relate to (the period HMRC and the Finance Acts align with for VAT, income tax, and CIS record‑keeping—not six years from today’s date alone). The main provisions include VAT Act 1994 s.58 and Schedule 11 paragraph 6, Finance Act 1998 Schedule 18, and Taxes Management Act 1970 s.12B. This retention applies to:
- VAT returns and the invoices and line items that support them
- Making Tax Digital Income Tax quarterly updates and the identifiers used to file them
- CIS returns, deduction records, and the monthly statements issued to subcontractors
- The append-only
vat_compliance_audit,hmrc_audit_logandcis_audit_logtrails of HMRC-related actions
If you close your Traddie account inside that six-year window, we retain the HMRC-related records (anonymising personal identifiers on the surrounding data where we can) until the statutory period has passed, then delete them. Everything else on your account is deleted or anonymised on closure.
Your rights where we rely on Legal Obligation
Under UK GDPR, some of your rights are limitedwhen our lawful basis is Legal Obligation (as set out in the ICO's guide to this basis):
- The right of erasure does not apply to records we are legally required to keep (the VAT return we filed, CIS monthly statements, the six-year tax trail)
- The right to object does not apply to legal-obligation processing
- The right to data portability does not apply to legal-obligation processing
You still have the right of access and rectification for HMRC-related records we hold about you, and you can complain to the ICO if you believe we are processing more data than UK tax law requires. Your rights under Contract-basis processing (portability, erasure on account closure, etc.) are unaffected for everything outside this section.
9. Data storage and security
Your account and business data is stored in the European Union using Supabase on Amazon Web Services (AWS) in the eu-west-1 (Ireland) region. Storage in the EEA is a restricted transfer under UK GDPR covered by the UK's adequacy regulations for the EEA. Data is encrypted in transit (TLS) and at rest (AES-256). HMRC OAuth tokens are additionally encrypted at the column level using pgcrypto, so they cannot be read even by someone with direct database access without the service-role key. We use industry-standard security practices to protect your information from unauthorised access, alteration, disclosure, or destruction.
Payment card data is handled by Stripe and is subject to Stripe's privacy policy and PCI DSS compliance. We do not store full card numbers on our servers.
10. Data retention
We retain your personal data for as long as your account is active or as needed to provide the Service. After you close your account, we may retain certain data for a limited period to comply with legal obligations (e.g. tax, HMRC), resolve disputes, enforce our agreements, and for legitimate business purposes. After that, we delete or anonymise your data.
Analytics and session recordings: session recordings are kept for 30 days; event/usage analytics are kept for no longer than necessary and in any case no more than 12 months in identifiable form (see section 7).
Tax and invoice records (UK): Where you use Traddie for invoicing, VAT, CIS, or expenses, the statutory six-year retention in section 8 above applies. If you exercise your right to erasure under UK GDPR, we will remove or anonymise personal identifiers where possible while retaining the underlying tax records where we have a legal obligation to do so. You can download a JSON export of your financial data from the app before closing your account where this is available.
You may request deletion of your personal data at any time (see "Your rights" below). We will honour such requests where we are not required to retain the data by law.
11. Sharing and third-party services
We share your information only with the providers we rely on to run the Service. Each is contractually required to protect your data and use it only for the purposes we specify. Our main processors are:
- Supabase / Amazon Web Services — database, authentication, and hosting (United Kingdom, AWS London)
- Stripe — card payment processing
- GoCardless — Direct Debit and bank payments
- Resend — sending transactional emails (e.g. invoices, quotes, security codes)
- PostHog — product analytics and session replay (EU Cloud, Frankfurt, Germany)
- Sentry — error and crash monitoring (European Union, Germany)
- Upstash — rate-limiting and abuse prevention (processes limited request metadata such as a hashed identifier)
We also share data where you direct us to:
- Accounting and tax integrations: if you connect Xero, QuickBooks, FreeAgent, or HMRC, we send only the data you have authorised for sync or submission. Their privacy policies (and, for HMRC, its role as an independent controller — see section 8) apply to their handling of that data.
- Google Business Profile: if you connect your Google account, we access your Business Profile data through Google's APIs to display and analyse it in Traddie. We handle this Google user data in line with the Google API Services User Data Policy, including its Limited Use requirements — see section 12.
- Legal and regulatory: where required by law (e.g. court order, HMRC) or to protect our rights, safety, or property.
We do not sell or rent your personal information to third parties for their marketing purposes.
12. Google Business Profile & Google user data
Traddie offers an optional integration that lets you connect your Google Business Profile so you can see and improve how your business appears on Google Search and Maps from inside the app. This connection is entirely optional, is never enabled by default, and can be disconnected at any time. Because it involves Google user data, we set out below exactly how we access, use, store, and share it.
How the connection is authorised
When you choose to connect, you are taken to Google's own consent screen and asked to grant the https://www.googleapis.com/auth/business.managescope. We never see or store your Google password. Google returns short-lived OAuth access and refresh tokens, which we store encrypted at the column level (pgcrypto) and use only to call Google's Business Profile APIs on your behalf.
What Google data we access
With your authorisation, and only for the business locations you manage, we read:
- Business Profile details — location name, address, phone number, website, categories, opening hours, service area, business description, and services
- Reviews — star ratings, review text, reviewer display name, and any replies you have posted
- Performance insights — aggregate metrics such as profile impressions on Search and Maps, calls, website clicks, and direction requests
- Posts and photos — the local posts and media associated with your profile, used to gauge how active your listing is
How we use it
We use this data solely to provide the feature you asked for: to display your profile, reviews, and performance inside Traddie, and to compute a "profile health" score with practical suggestions for improving your local presence. We store the resulting snapshot (including the derived scores and a limited sample of recent reviews) in your workspace so the app loads quickly. We do not use Google user data for advertising, we do not sell or transfer it to third parties, and we do not use it to train generalised AI/ML models.
Limited Use disclosure
Traddie's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.
Disconnecting and deletion
You can disconnect Google Business Profile at any time from Settings → Integrations in the app. Doing so revokes Traddie's access with Google and deletes the stored OAuth tokens and the profile snapshot we hold. You can also review or revoke Traddie's access directly in your Google Account at myaccount.google.com/permissions.
13. International transfers
Your account and business data is stored and processed in the United Kingdom, and our analytics and error-monitoring providers host their data within the European Economic Area (Germany). Some of our providers are incorporated outside the UK/EEA (for example in the United States) and may be able to access data from there for support and operations. Where personal data is transferred outside the UK/EEA, we rely on appropriate safeguards as required by UK GDPR — such as the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses, or an adequacy decision.
14. Children's privacy
The Service is not directed at anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us at support@gettraddie.com and we will delete it promptly.
15. Your rights (UK GDPR)
You have the right to:
- Access the personal data we hold about you
- Rectification of inaccurate or incomplete data
- Erasure ("right to be forgotten") in certain circumstances
- Restrict processing in certain circumstances
- Data portability (receive your data in a structured, machine-readable format)
- Object to processing based on legitimate interests (including app analytics) or to direct marketing
- Withdraw consent where we rely on consent (e.g. website analytics, marketing emails)
Some of these rights are limited where we process data under Legal Obligation — see section 8 for the detail on HMRC and UK tax records. To exercise any of these rights, contact us at support@gettraddie.com. We will respond within one month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK: ico.org.uk/make-a-complaint.
16. Cookies and similar technologies
On our website we use cookies and similar technologies (such as browser local storage) in two categories:
- Strictly necessary: to keep you signed in (session/auth tokens), remember your cookie choice, and protect the Service (e.g. rate-limiting). These are always on because the Service cannot work without them.
- Analytics (consent-based): the PostHog analytics and session-replay cookies/local storage described in section 7. These are only set after you accept them in the cookie banner, and you can decline without affecting how the website works.
You can control or clear cookies through your browser settings. Disabling strictly necessary cookies may stop parts of the website from working.
Our mobile apps do not use cookies, but they use local storage and identifiers necessary for the app to function (e.g. session tokens) and, unless you opt out under Settings → Your data & GDPR, an analytics identifier for the purposes in section 7. We do not use cross-app tracking for advertising.
17. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date. For material changes, we will notify you by email or through the Service where appropriate. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.
18. Contact us
For questions about this Privacy Policy, your personal data, or to exercise your rights, contact us:
Eris Technology Solutions Ltd
210 A/B C/O BRS Pentagon Centre, 36–38 Washington Street, Glasgow, G2 8AZ, United Kingdom
Email: support@gettraddie.com
Website: https://www.gettraddie.com