Privacy Policy

1. Introduction

Bulldogs Digital Ltd ("we", "us", "our", or "Company") operates the Trades Panel construction management application (web and mobile versions) and is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our services.

Company Details:

• Company Name: Bulldogs Digital Ltd
• Company Number: 14123590
• Registered Address: 3 Church Street, Littlehampton, West Sussex, BN17 5EL, United Kingdom
• Data Controller: Bulldogs Digital Ltd
• Contact: support@tradespanel.com

2. Information We Collect

2.1 Personal Information You Provide

Account Information:

• Name (first name, last name, full name)
• Email address (used for authentication and communication)
• Phone number (optional)
• Login credentials (passwords are encrypted using bcrypt)
• Profile image (optional)
• Business information (company name, role within company)

Business Data:

• Customer and contact information (names, email addresses, phone numbers, addresses)
• Project and job details (descriptions, locations, status, schedules)
• Document uploads and file attachments (PDFs, images, spreadsheets)
• Financial information (invoices, quotes, payments, purchase invoices)
• Time tracking and scheduling data (clock in/out times, GPS locations with permission)
• Communications and messages within the platform
• Staff information (roles, payment details, working schedules)

Support Ticket Information:

• Support ticket subject, description, priority, and category
• File attachments (screenshots, PDFs, images) - you choose what to attach
• Technical metadata (browser, operating system, device type, screen resolution) - automatically collected to help diagnose issues
• Current page URL (web app only) - automatically collected to identify where issues occur
• Browser console logs (errors and warnings only) - only with your explicit opt-in consent to help diagnose technical issues
• App version (mobile app) - automatically collected

Note: Console log collection is entirely optional. You can submit support tickets without sharing console logs. Only error and warning messages are captured, not all console output. This information is stored securely and accessed only by our support team.

Payment Information:

• Billing address and contact details
• Payment method information (processed securely through Stripe - we do not store full payment card details)
• Subscription and billing history

Special Category Data:

• GPS Location Data: Only collected with your explicit permission on mobile devices for time tracking and job site mapping
• Financial Data: Staff salary information (day rates, annual salaries) processed for employment purposes

2.2 Information We Collect Automatically

Technical Information:

• IP address and general location information (based on IP)
• Device information (browser type, operating system, device type)
• Usage data and analytics (pages visited, features used) - with your consent
• Log files and error reports - with your consent
• Session information and authentication tokens
• Device fingerprinting data (for security purposes)
• Support ticket technical metadata (browser version, OS version, device type, screen resolution, current URL) - automatically collected when you submit a support ticket to help our support team diagnose issues

Location Data:

• Address information for projects and customers (you provide this)
• Geocoded coordinates for mapping features (when you provide addresses)
• GPS location data (only with explicit mobile app permission for time tracking)

Analytics Data (with consent):

• Page views and navigation patterns
• Feature usage statistics
• Performance metrics
• Form interaction data

3. How We Use Your Information

3.1 Primary Purposes

We process your personal information for the following purposes:

Service Provision (Legal Basis: Contract Performance - Article 6(1)(b) GDPR):

• Providing and maintaining the Trades Panel application
• Managing your account and user authentication
• Enabling project management, scheduling, and job tracking features
• Processing payments and billing
• Providing customer support and technical assistance
• Processing support tickets, including technical metadata (browser, OS, device info) and file attachments to diagnose and resolve issues
• Delivering push notifications (mobile apps)
• Processing and storing documents you upload

Business Operations (Legal Basis: Legitimate Interest - Article 6(1)(f) GDPR):

• Improving and optimizing our services
• Developing new features and functionality
• Ensuring security and preventing fraud
• Monitoring for suspicious activity
• Internal business administration
• Performance monitoring (with consent)

Legal Compliance (Legal Basis: Legal Obligation - Article 6(1)(c) GDPR):

• Complying with applicable laws and regulations
• Responding to legal requests and law enforcement
• Tax and accounting requirements (7-year retention)
• Data retention as required by law

Special Category Data Processing:

• GPS Location Data: Processed with your explicit consent (Article 9(2)(a) GDPR) for time tracking and job site mapping
• Financial Data (Salaries): Processed for employment contract purposes (Article 9(2)(b) GDPR)

3.2 Communication

We may use your contact information to:

• Send service-related notifications and updates (transactional emails)
• Provide customer support responses
• Share important account or billing information
• Send marketing communications (only with your explicit consent)
• Send security alerts (e.g., suspicious login attempts)

Marketing Communications:

• We use Postmark for transactional and marketing emails
• Marketing emails are only sent with your explicit consent
• You can unsubscribe at any time via the link in emails or by contacting us

4. Information Sharing and Disclosure

4.1 Third-Party Service Providers

We share your information with carefully selected service providers who assist us in operating our business. All processors are bound by data processing agreements:

Infrastructure and Hosting:

• Supabase (database hosting and management) - Location: London, UK - DPA: ✅ Data Processing Agreement in place
• Vercel (web application hosting and deployment) - Location: UK (primary) - DPA: ✅ Covered in Vercel terms

Payment Processing:

• Stripe (payment processing and billing management) - Location: Global (primary: UK, US, EU) - DPA: ✅ Data Processing Agreement in place - PCI-DSS: ✅ Stripe is PCI-DSS certified

Communication Services:

• Postmark (transactional and marketing email delivery) - Location: US-based - DPA: ✅ Data Processing Agreement in place - SCCs: ✅ Standard Contractual Clauses in place

Mapping and Location Services:

• Mapbox (web application - interactive mapping and address visualization) - Location: Global - DPA: ✅ Mapbox Data Processing Agreement in place - Cookies: None (uses localStorage for caching)
• Google Maps API (Android mobile app - address geocoding and mapping features) - Location: Global - DPA: ✅ Google Cloud Data Processing Agreement in place
• Apple Maps (iOS mobile app - platform-native mapping) - Location: Apple data centers - No third-party data sharing

Analytics and Monitoring (with consent):

• Google Analytics 4 (GA4) (website analytics and user behavior tracking) - Location: Global (Google data centers) - Consent: ✅ Required - only loaded with your consent - DPA: ✅ Google Cloud Data Processing Agreement in place - Data collected: Page views, user interactions, device information, IP addresses (anonymized), location data (general)
• Vercel Analytics (website analytics) - Consent: ✅ Required - only loaded with your consent
• Vercel Speed Insights (performance monitoring) - Consent: ✅ Required
• Facebook Pixel (conversion tracking and advertising analytics) - Location: Global (Facebook data centers) - Consent: ✅ Required - only loaded with your consent - DPA: ✅ Facebook Data Processing Agreement in place - Data collected: Page views, conversion events (e.g., signup form submissions), device information, IP addresses (anonymized), general location data - Purpose: Track conversions and measure advertising effectiveness
• Sentry (error tracking and debugging) - Location: US-based - Consent: ✅ Required - DPA: ✅ Data Processing Agreement in place - SCCs: ✅ Standard Contractual Clauses in place

Security Services:

• Vercel BotID (bot protection) - Location: Global - Server-side bot detection, no client-side cookies or tracking

AI Services:

• Anthropic (Claude API) (AI-powered features) - Location: US-based - DPA: ✅ Data Processing Agreement in place - SCCs: ✅ Standard Contractual Clauses in place

Document Processing Services:

• Google Cloud DocumentAI (PDF invoice parsing and data extraction) - Location: Global (EU endpoint: eu-documentai.googleapis.com) - DPA: ✅ Google Cloud Data Processing Agreement in place - Data shared: PDF document content, extracted invoice data

Mobile App Services:

• Expo Push Notification Service (push notifications) - Location: Global - DPA: ✅ Data Processing Agreement in place

File Storage:

• Supabase Storage (document and file storage) - Location: London, UK - Files are encrypted at rest - Access controlled via signed URLs
• Support ticket attachments (screenshots, PDFs, images) are stored securely in Supabase Storage with the same encryption and access controls

4.2 Legal Requirements

We may disclose your information when required by law, such as:

• Responding to court orders, subpoenas, or legal process
• Protecting our rights, property, or safety
• Preventing or investigating suspected fraud or illegal activities
• Complying with regulatory requirements

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

Technical Safeguards:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of data at rest (Supabase database and storage)
• Secure authentication and session management
• Password hashing (bcrypt with 12 rounds)
• Multi-tenant architecture with strict data isolation
• Access controls and audit logging
• Signed URLs for file access
• HTTP-only and Secure cookies
• CAPTCHA protection on authentication forms
• Device fingerprinting and suspicious activity detection

Organizational Safeguards:

• Access limited to direct employees of Bulldogs Digital Ltd
• Staff training on data protection and privacy
• Regular review of data processing activities
• Incident response procedures
• Vendor security assessments

6. Data Retention

We retain your personal information only as long as necessary for the purposes outlined in this policy:

• Account Data: Retained while your account is active and for up to 7 years after account closure for legal and tax purposes
• Business Data: Retained while your account is active and for 7 years after account closure (tax and legal requirements)
• Financial Records: 7 years (tax requirement)
• Session Data: Active sessions: 30 days, Login attempts: 1 year, Security events: 2 years
• Communication Data: Support tickets: 3 years, Email communications: 3 years
• Support Ticket Data: Support tickets, attachments, and technical metadata (including console logs if provided): 3 years from ticket creation
• Analytics Data (with consent): Retained for 2 years
• Document Storage: Retained while account is active and for 7 years after account closure

7. Your Rights Under GDPR

As a data subject under the General Data Protection Regulation (GDPR), you have the following rights:

• Right of Access (Article 15): Request confirmation of whether we process your personal data and obtain a copy
• Right to Rectification (Article 16): Request correction of inaccurate personal data
• Right to Erasure (Article 17): Request deletion of your personal data in certain circumstances
• Right to Restrict Processing (Article 18): Request limitation of processing in specific situations
• Right to Data Portability (Article 20): Receive your personal data in a structured, machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests or direct marketing

To exercise your rights, please contact us at support@tradespanel.com. We will respond within one month (or two months for complex requests).

8. Cookies and Tracking

Our web application uses cookies and similar technologies. For detailed information, please see our Cookie Policy.

Essential Cookies (No Consent Required):

• Session management and authentication
• Security and fraud prevention

Analytics Cookies (Consent Required):

• Usage analytics and performance monitoring
• Error tracking and debugging

9. International Data Transfers

Your personal information may be processed in countries outside the United Kingdom. For transfers to countries without an adequacy decision (e.g., US), we implement appropriate safeguards including Standard Contractual Clauses (SCCs) and Data Processing Agreements with all processors.

10. Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.

11. Mobile Application Specific Provisions

Our mobile applications may request permissions for:

• Location Services: Only with explicit permission for time tracking and job site mapping
• Camera and File Access: For document capture and upload, including support ticket attachments (screenshots)
• Push Notifications: For job reminders and updates (can be disabled)

Support Ticket Data Collection (Mobile):

• When you submit a support ticket via our mobile app, we automatically collect: app version, device OS information, device type, and timezone
• You can optionally attach screenshots to help illustrate issues
• Console log collection is available on mobile but requires explicit opt-in consent

12. Customer Contact Data

Important: When you add customer contacts to Trades Panel, you are the data controller for that personal data. We act as a data processor, hosting and processing the data on your behalf. We do not use customer contact data for our own purposes.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

• Changes in our data processing practices
• New legal or regulatory requirements
• Improvements to our services
• New third-party integrations

We will notify you of material changes through:

• Email notification to your registered address
• Prominent notice within the application
• Updates to the "Last Updated" date at the top of this policy

Continued use of our services after changes constitutes acceptance of the updated policy.

14. Contact Information

For questions about this Privacy Policy, data protection, or to exercise your rights:

Email: support@tradespanel.com
Postal Address:
Data Protection Officer
Bulldogs Digital Ltd
3 Church Street
Littlehampton
West Sussex
BN17 5EL
United Kingdom

Supervisory Authority:

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Website: https://ico.org.uk
Phone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

15. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, including collection, use, storage, and deletion.

Data Controller: The entity that determines the purposes and means of processing personal data (Bulldogs Digital Ltd).

Data Processor: The entity that processes personal data on behalf of the data controller (e.g., Supabase, Stripe).

Data Subject: The individual to whom personal data relates (you, our users).

Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. In our case, this includes GPS location data (when collected).

16. Legal Basis Summary

The following table summarizes the legal basis for our processing activities: