Privacy Policy

1. Introduction

TradeAlly ("we", "our", or "us") provides an AI-powered receptionist and lead management service for trade businesses in the United Kingdom. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our service.

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Our Role: Controller vs Processor

2.1 When We Act as Data Controller

TradeAlly is the data controller for:

• Trade business account holders (our direct customers)
• Visitors to our website and landing pages
• Users of our demo widget
• Marketing and sales contacts

2.2 When We Act as Data Processor

TradeAlly acts as a data processor on behalf of trade businesses for:

• Customers who call the trade business
• Lead and appointment data created during calls
• SMS messages sent to the trade business's customers

In these cases, the trade business is the data controller and is responsible for ensuring their customers are appropriately informed about data processing. TradeAlly processes this data only as instructed by the trade business under our Data Processing Agreement.

2.3 Expense and Receipt Data

When trade businesses use our expense tracking features to upload receipts and record expenses, TradeAlly acts as a data processor for any personal data contained in those receipts (e.g., supplier names, addresses). The trade business remains the data controller for their own financial records.

3. Information We Collect

3.1 Information You Provide Directly (Trade Businesses)

• Account Information: Business name, owner name, email address, phone number, trade type, service area
• Payment Information: Billing address, payment card details (processed securely via Stripe - we do not store card numbers)
• Business Profile: Service areas, business hours, pricing information, service types offered
• Communications: Support tickets, feedback, survey responses

3.2 Information Collected During Calls (Caller Data)

When someone calls a trade business using our service, our AI assistant collects:

• Caller's phone number
• Name (if provided)
• Service requirements and job details
• Location/postcode
• Urgency and availability preferences

3.3 Information Collected Automatically

• Call Metadata: Call duration, timestamps, call outcome (answered, missed, etc.)
• Usage Data: Features used, login times, dashboard interactions
• Device Information: IP address, browser type, operating system
• Cookies: Session cookies for authentication, preference cookies for settings

3.4 Landing Page Demo Widget

When you interact with our AI demo widget on our website:

• Conversation Data: Transcript of your demo conversation
• Contact Information: Any details you voluntarily provide
• Session Data: Conversation duration, timestamp

Legal Basis: Consent obtained when you start the demo.
Retention: Demo data is deleted after 90 days.

3.5 Expense and Receipt Data

When trade businesses use our expense tracking features:

• Receipt Images: Photographs or scans of receipts uploaded by the user
• PDF Documents: Supplier invoices or expense documents
• Extracted Data: Merchant name, date, line items, amounts, and VAT extracted via optical character recognition (OCR)
• Mileage Records: Journey dates, distances, and rates entered by the user
• Job Linkage: Association between expenses and specific jobs or leads

4. How We Handle Calls

4.1 Real-Time Processing

When a call is answered by our AI assistant, the conversation is processed in real-time to understand the caller's needs and provide helpful responses. This processing uses conversational AI technology provided by ElevenLabs.

4.2 Zero Audio Retention

We operate with zero audio retention. This means:

• No call recordings are made or stored
• No audio files are retained after the call ends
• Voice data is processed transiently and discarded

4.3 Quality Assurance Monitoring

To ensure service reliability and improve our AI, we collect operational metrics including:

• Call timestamps and duration
• Call outcomes (completed, transferred, etc.)
• Intent classification (structured labels only, e.g., "booking request", "price enquiry")
• Technical performance data (response times, any errors)

This data contains no personal identifiers and is used for fault diagnosis and service improvement under our legitimate interests.

4.4 When TradeAlly Sends SMS on Behalf of a Business

When a trade business uses our messaging features, SMS confirmations may include a link to this privacy policy for transparency about how calls and messages are handled.

5. How We Use Your Information

5.1 To Provide Our Services

• Operating the AI receptionist to answer business calls
• Creating and managing leads in the business dashboard
• Sending SMS messages on behalf of the business
• Scheduling appointments and managing calendars
• Generating and sending quotes to customers
• Processing payments and managing subscriptions

5.2 To Maintain and Improve Our Services

• Monitoring system reliability and performance
• Identifying and fixing technical issues
• Improving AI accuracy and conversation quality
• Developing new features based on usage patterns
• Analysing expense and receipt data to calculate job profitability and, in future, to provide anonymised benchmarking insights to users

5.3 For Communications

• Sending service updates and important notices
• Responding to support requests
• Billing and payment notifications
• Marketing communications (only with your consent)

6. Legal Basis for Processing (UK GDPR)

We process personal data based on the following legal grounds:

• Contract Performance: Processing necessary to deliver our services under our Terms of Service
• Legitimate Interests: Service reliability, fault diagnosis, quality improvement, fraud prevention, and security. We have conducted Legitimate Interest Assessments for these purposes. This includes analysing anonymised expense data to develop benchmarking features that help trade businesses price jobs competitively.
• Consent: For marketing communications and optional features like the demo widget
• Legal Obligations: Compliance with tax, accounting, and other legal requirements

7. Data Sharing and Service Providers

7.1 Service Providers

We share data with trusted third-party service providers who assist in operating our service:

• Heroku (Salesforce): Cloud hosting and application platform
• Heroku PostgreSQL: Database services
• Heroku Redis: Session management and caching
• Telnyx: Telephone and SMS services
• ElevenLabs: Conversational AI voice technology (zero retention mode enabled)
• OpenAI: Natural language processing for lead enrichment
• Stripe: Payment processing
• Cloudinary: Image and document storage (business logos, general files)
• Cloudflare R2: Secure storage of receipt images and PDF documents uploaded via our expense tracking features

All service providers are bound by data processing agreements and process data only as instructed.

7.2 Legal Requirements

We may disclose information when required by law, court order, or to protect our rights and safety.

7.3 Business Transfers

In the event of a merger, acquisition, or sale, your information may be transferred to the successor entity with equivalent privacy protections.

7.4 With Your Consent

We will share your information with other parties only with your explicit consent.

8. Data Retention

• Account Data: Retained for the duration of your subscription plus 90 days
• Call Audio: Not retained (zero retention mode)
• Lead Data: Retained for 2 years after last interaction, then anonymised or deleted
• SMS/Message Data: Retained for 2 years, then automatically anonymised. Message content and phone numbers are removed; metadata (timestamps, channel, status) is retained for analytics
• Operational Metrics: Retained indefinitely in anonymised form for analytics
• Quality Assurance Data: 30-90 days depending on purpose, then automatically deleted
• Sandbox/Trial Data: Deleted 30 days after trial expiry
• Financial Records: Retained for 7 years as required by UK law
• Marketing Data: Until you withdraw consent

8.1 Financial and Expense Records

Expense records, including receipt images, extracted data, and mileage logs, are retained for the duration required by HMRC regulations:

• Sole traders: 5 years from the 31 January self-assessment deadline
• Limited companies: 6 years from the end of the accounting period

In practice, this means expense records may be retained for up to 7 years. After this period, records are permanently deleted unless the user requests earlier deletion (which we will action unless we have a legal obligation to retain them).

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Request limited processing of your data
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, email us at privacy@tradeally.co.uk

For callers to trade businesses: If you called a trade business and wish to exercise your rights regarding data collected during that call, please contact the trade business directly as they are the data controller. They may then instruct us to action your request.

10. Data Security

We implement appropriate technical and organisational measures to protect your data:

• Encryption in transit (TLS/SSL) and at rest
• Secure cloud infrastructure with Heroku's enterprise-grade security
• Access controls and authentication
• Regular security updates and monitoring
• Incident response procedures

11. International Data Transfers

Your data may be transferred to and processed in countries outside the UK, including the United States where some of our service providers are located. We ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the UK ICO
• UK-US Data Bridge framework where applicable
• Adequacy decisions where applicable

12. Children's Privacy

Our services are intended for businesses and are not directed at individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through our dashboard. The "Last Updated" date at the top indicates when the policy was last revised.

14. Contact Information