Privacy Policy

Effective date: 1 May 2026 · Version 2026-05-01

This privacy policy explains how Get A Trades Website ("we", "Gary", "us") collects, uses and protects personal information across two services:

• This marketing website (getatradeswebsite.co.uk) — what we collect when you browse, get in touch, or place an order.
• The customer portal (portal.getatradeswebsite.co.uk) — what we hold when you sign up as a tradesperson and use the portal tools.

If you handle your own customers' details inside the portal (enquiries, quotes, invoices, jobs), there is a separate "Tradespeople using the portal" section below explaining how that data is treated and what your responsibilities are.

We take privacy seriously. We don't sell your data, we don't share it with third parties for marketing purposes, and we collect only what we need to provide the service.

Who We Are

Get A Trades Website is a web design and SEO service for UK tradespeople, operated by Gary, based in Scotland. If you have any questions about this policy or how your data is handled, you can get in touch via the contact form on the homepage.

We are registered with the UK Information Commissioner's Office (ICO) as a data controller. Our registration reference is ZC133661. You can verify our registration at ico.org.uk.

What Information We Collect

We collect information in two ways:

• Information you give us — when you fill in the contact or order form, we collect your name, email address, trade, location, and any details you include in your message.
• Information collected automatically — when you visit the site, Google Analytics collects anonymised data about your visit including pages viewed, time on site, device type, and approximate location. This does not identify you personally.

How We Use Your Information

Information you submit via the contact or order form is used solely to respond to your enquiry and, if you proceed, to build your website. We do not add you to any mailing list or pass your details to any third party without your explicit consent.

Google Analytics data is used to understand how visitors use the site so we can improve it. This data is aggregated and anonymised.

Cookies

This site uses cookies in two ways:

• Google Analytics cookies — these track anonymous usage data (pages visited, time on site, device type). They do not identify you personally. You can opt out of Google Analytics tracking at tools.google.com/dlpage/gaoptout.
• Cookie consent cookie — a small cookie is set when you acknowledge our cookie notice, so we don't show it to you again.

We do not use advertising cookies, tracking pixels, or any cookies from social media platforms.

Third-Party Services

We use the following third-party services which may process data on our behalf:

• Supabase — stores contact and order form submissions securely in an EU-hosted database. Supabase's privacy policy is available at supabase.com/privacy.
• Resend — delivers form submission notifications by email. Resend's privacy policy is available at resend.com/legal/privacy-policy.
• Google Analytics — anonymous website usage tracking. Google's privacy policy is available at policies.google.com/privacy.
• Google Fonts — font files are loaded from Google's servers, which may log your IP address. See policies.google.com/privacy.

Data Storage and Security

Form submissions are stored securely in a Supabase database (EU West 2 region) and a notification is delivered by email via Resend. Data is retained only for as long as necessary to complete your project or respond to your enquiry.

The website is served over HTTPS. All data transmitted via the contact form is encrypted in transit.

Tradespeople Using the Portal

If you sign up as a tradesperson and use the customer portal at portal.getatradeswebsite.co.uk, this section explains the additional data we hold about you, the data you store about your customers, and how UK GDPR responsibilities are split between you and us.

What We Hold About You as a Portal User

When you create a portal account or place an order, we hold:

• Your name, business name, email, phone, postal address, and the trade you operate in.
• Your billing details — handled by GoCardless (we never see card numbers; we hold a mandate reference and a payment history).
• Order history, invoices we've issued to you, and a record of plan changes and cancellations.
• Audit log of significant actions (e.g. order acceptance, T&C acceptance, plan changes) for the lifetime of your account.
• Your design brief, business profile, photos, logo and any other content you upload to build your website.

We use this data only to deliver the service you ordered, contact you about your account, and meet legal/accounting obligations. We don't profile you for advertising or share your data with third parties for marketing.

Your Customers' Data Inside the Portal — Controller / Processor

Some portal tools — Inbound Enquiries, Quotes, Invoices, and Jobs/Diary — store details about your end customers (their names, addresses, phone numbers, the work you've quoted or invoiced).

Under UK GDPR, that data has a clear split of responsibilities:

• You are the data controller. Your customers gave you their details to do work for them, so you decide what's collected and why. You're responsible for having a lawful basis (usually contract or legitimate interest), for replying to your customers' data requests, for keeping your records accurate, and for telling them how you use their information.
• We are a data processor on your behalf. We store the data securely, process it only to provide the portal service, and never use it for our own purposes.

By accepting our Terms of Service and this Privacy Policy you agree to act as the data controller for any customer details you store in the portal, and you confirm those terms also serve as the data processing agreement (DPA) governing how we handle that data on your behalf.

Sub-processors We Use

We use a small number of trusted suppliers to provide the portal. They process data on our behalf under their own data protection commitments:

• Supabase — Postgres database + authentication. EU-hosted (eu-west-2). All portal data lives here, encrypted at rest. supabase.com/privacy
• Resend — sends transactional emails (login links, order confirmations, ticket replies). resend.com/legal/privacy-policy
• GoCardless — direct debit and one-off payment collection. We do not store card or bank details. gocardless.com/legal/privacy
• Cloudflare — analytics + DNS + delivery. Cookieless analytics beacon. cloudflare.com/privacypolicy
• Anthropic (Claude API) — when you trigger AI-assisted features (e.g. generating SEO checklist suggestions). Inputs are processed and not used to train models. anthropic.com/legal/privacy
• name.com — domain registrar where we register domains on your behalf. name.com/privacy-policy

If we change a sub-processor or add a new one that materially affects your data, we'll update this list and email portal users about it.

Where Data Is Stored

Portal data lives in a Supabase project hosted in the EU (eu-west-2 region). It does not leave the European Economic Area for ordinary processing. Some sub-processors (e.g. Anthropic) may process data in the US under standard contractual clauses; we minimise what is sent to those services and never send your customers' personal data to them.

Retention & Deletion

Account, order and invoice records are retained while your account is active and for up to 6 years after closure to meet UK accounting and tax requirements (Companies Act 2006, HMRC).

End-customer data you stored in the portal (enquiries, quotes, invoices, jobs) is yours to manage. You can delete individual records at any time. If you cancel your subscription, you can request a one-off export and a full delete of your portal data — we will action that within 30 days.

Backups are kept for 30 days for disaster recovery and are then permanently overwritten.

Security & Breach Notification

We protect data with HTTPS in transit, encryption at rest, role-based access control, and audit logging. Where required, we will notify the ICO of a personal data breach within 72 hours, and notify affected portal users without undue delay.

If a breach affected end-customer data you control, we will tell you promptly so you can fulfil your own controller obligations to your customers.

Your Rights

Under UK GDPR, you have the right to:

• Request a copy of any personal data we hold about you
• Ask us to correct inaccurate data
• Ask us to delete your data
• Object to how we use your data

To exercise any of these rights, get in touch via the contact form on the homepage and we'll respond within 30 days.

If you're unhappy with how we handle your personal data, you also have the right to complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.

Changes to This Policy

We may update this policy from time to time. Any changes will be posted on this page with an updated date. We won't notify you of minor changes, but significant changes to how we use your data will be communicated clearly.

Contact

If you have any questions about this privacy policy or how your data is handled, please use the contact form on the homepage.