TradeScore | Privacy Policy

Version: 1.0
Last updated: 23 April 2026

This Privacy Policy explains how TradeScore (“we”, “us”, “our”) collects, uses, stores, and shares personal data when you use our website, applications, and related services (together, the “Service”).

For contractual terms, see our Terms of Service.

1. Introduction

We respect your privacy and aim to be transparent about what we do with personal data. This Policy describes:

What information we collect
How and why we use it
Who we share it with
How we protect it
Your rights under applicable data protection law (including the UK GDPR and, where relevant, the EU GDPR)
How to contact us

If you do not agree with this Policy, you should not use the Service.

Controller: TradeScore is typically the data controller for personal data we decide how and why to process. Where we process data only on behalf of another organisation, we act as a processor as described in our agreements.

2. What information we collect

We collect information that you provide directly, information generated when you use the Service, and (where applicable) information from third parties.

2.1 Information you provide

Identity and contact: name, email address, phone number.
Trade profile (tradespeople): trade type, business or professional details you choose to share.
Project and lead details (homeowners and trades): descriptions of work, timelines, budgets, locations or postcodes, property details you choose to include, photos or attachments if you upload them, and other free-text you submit.
Communications: messages you send us (for example support, disputes, or feedback).
Payment-related information: when you pay fees through the Service, payment card details are collected and processed by our payment provider (Stripe). We do not store full card numbers on TradeScore servers; we may receive limited payment metadata (for example last four digits, brand, status, transaction IDs) needed to operate billing and support.

2.2 Information collected automatically

Technical and usage data: IP address, device and browser type, approximate location derived from IP, pages viewed, referring URLs, timestamps, and similar diagnostics.
Cookies and similar technologies: as described in Section 7 (Cookies and tracking).

2.3 Information from third parties

We may receive information from payment partners (for example payment success or failure), fraud-prevention signals, or publicly available sources where permitted by law.

We do not buy or sell personal data lists.

3. How we use information

We use personal data for the following purposes:

| Purpose | Examples | |--------|----------| | Providing the Service | Creating and managing accounts, posting and displaying leads, matching homeowners with tradespeople, scoring or ranking leads where we offer that feature. | | Payments and billing | Taking lead fees or other charges, issuing receipts, handling refunds where our Terms allow, reconciling accounts. | | Communications | Service messages (for example about a lead or payment), security alerts, responding to support requests. Marketing emails would only be sent where the law allows and, where required, with your consent (we can describe that separately if we offer marketing). | | Safety and integrity | Detecting fraud, abuse, spam, and misuse; enforcing our Terms of Service; protecting users and the platform. | | Improvement and analytics | Understanding how the Service is used, fixing bugs, improving features, and (where we use analytics tools) measuring traffic and conversions. | | Legal compliance | Complying with law, regulations, court orders, and responding to lawful requests from public authorities. |

We may use aggregated or de-identified information that cannot reasonably identify you for analytics, reporting, and product development.

4. Legal bases for processing (GDPR / UK GDPR)

Where UK or EU GDPR applies, we process personal data on one or more of the following bases:

Contract: processing necessary to perform our agreement with you (for example providing leads, taking payments).
Legitimate interests: for example securing the Service, preventing fraud, improving the product, and internal reporting, where we balance those interests against your rights.
Legal obligation: where the law requires us to process data (for example tax or accounting records).
Consent: where we rely on consent (for example certain non-essential cookies or optional marketing), you may withdraw consent at any time without affecting processing that was lawful before withdrawal.

5. Data sharing

We do not sell your personal data.

We may share personal data in these situations:

Stripe (payments): card and payment processing. Stripe processes payment data under its own terms and privacy policy. See Section 8 (Third-party services).
Our infrastructure and processors: personal data is processed on systems we operate or commission, including application logic (for example a Flask-based backend API) and databases. Staff and contractors with a need to know may access data under confidentiality and security obligations.
MongoDB (data storage): we store application data in MongoDB (for example MongoDB Atlas or self-hosted MongoDB). Configuration should keep data in the UK and/or EU where that is your requirement; confirm your actual region in internal documentation. MongoDB acts as a processor under its agreements and privacy policy.
Professional advisers: lawyers, accountants, or insurers where necessary.
Authorities: if required by law or to protect rights, safety, and property.
Business transfers: in connection with a merger, acquisition, or asset sale, subject to appropriate safeguards and notice where required.

We require service providers to protect personal data appropriately and to use it only for the purposes we specify.

6. Data security

We implement technical and organisational measures appropriate to the risk, which may include access controls, encryption in transit (for example HTTPS), secure credential handling, logging, and staff training.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security; we encourage you to use strong passwords and protect your devices.

7. Cookies and tracking

We and our partners may use cookies, local storage, and similar technologies to:

Operate essential features (for example sessions, security, load balancing).
Remember preferences where we offer them.
Measure usage and performance where we enable analytics (see below).

Google Analytics (and similar): If we enable Google Analytics or use the gtag interface on our site, Google may collect information such as pages visited and device data under Google’s privacy policy. Where required, we will obtain consent for non-essential analytics cookies and provide a way to manage preferences (for example a cookie banner or settings link).

You can control cookies through your browser settings. Blocking some cookies may affect how the Service works.

8. Third-party services

We rely on third parties who process data on our behalf or alongside our Service. Their use of data is governed by their own policies:

| Provider | Role | Privacy information | |----------|------|---------------------| | Stripe | Payment processing, fraud tools | https://stripe.com/privacy | | MongoDB | Database / data storage | https://www.mongodb.com/legal/privacy-policy | | Google | Analytics / measurement (if enabled) | https://policies.google.com/privacy |

We may add or change subprocessors as the Service evolves; we will update this Policy or a dedicated subprocessor list where appropriate.

9. International transfers

We aim to store and process personal data in the United Kingdom and European Economic Area where practicable (including MongoDB regions you configure).

If we transfer personal data outside the UK or EEA, we will use a lawful mechanism such as adequacy regulations, standard contractual clauses, or other approved safeguards, and (where required) complete transfer impact assessments.

10. Data retention

We keep personal data only as long as necessary for the purposes in Section 3, including:

Account and lead data: for the life of the account and a reasonable period afterwards to handle disputes, enforce terms, and comply with law.
Payment and accounting records: as required for tax, audit, and regulatory obligations (often several years).
Logs and security data: for a limited period for security monitoring and troubleshooting.
Marketing or consent records: if applicable, for as long as consent is valid or until you opt out.

You may request deletion as described in Section 11 (Your rights); we may retain certain information where the law requires or permits.

11. Your rights (GDPR / UK GDPR)

Depending on your location and the circumstances, you may have the following rights:

Right of access: obtain confirmation of processing and a copy of your personal data.
Right to rectification: correct inaccurate or incomplete data.
Right to erasure (“right to be forgotten”): request deletion where applicable (for example where data is no longer necessary or you withdraw consent).
Right to restrict processing: limit how we use your data in certain cases.
Right to data portability: receive your data in a structured, commonly used, machine-readable format and transmit it to another controller where processing is based on contract or consent and is carried out by automated means.
Right to object: object to processing based on legitimate interests or to direct marketing (if we send it).
Rights related to automated decision-making: where we use solely automated decisions with legal or similarly significant effects, you may have rights to human review (we will clarify if we introduce such processing).
Withdraw consent: where we rely on consent.
Lodge a complaint with a supervisory authority — in the UK, the Information Commissioner’s Office (ICO) at https://ico.org.uk.

To exercise any of these rights, contact us using the details in Section 16 (Contact us). We may need to verify your identity before responding. We will respond within the timeframes required by law (typically within one month, with possible extensions in complex cases).

12. Data Protection Officer

Some organisations must appoint a Data Protection Officer (DPO). Whether TradeScore requires a DPO depends on your legal analysis and scale of processing.

If we appoint a DPO, we will publish their contact details here.
Until then, privacy and data protection enquiries should be sent to support@tradescore.uk (or the address we publish on the site).

13. Data breaches

If we become aware of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms, we will:

Assess the incident and take steps to contain and remediate it.
Where UK GDPR requires, notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to rights and freedoms.
Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms, unless an exception applies.

This section describes our intended approach; exact steps should be aligned with your incident response plan and legal advice.

14. Children’s privacy

The Service is not directed at children under 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from children for the Service. If you believe we have collected a child’s data, contact us and we will take appropriate steps to delete it.

15. Changes to this Policy

We may update this Policy from time to time. We will change the “Last updated” date and version at the top of this page. If changes are material, we will provide additional notice where appropriate (for example by email or a notice on the Service).

Continued use of the Service after the effective date of changes may constitute acceptance where permitted by law.

16. Contact us

For privacy questions, data subject requests, or concerns about this Policy:

Email: support@tradescore.uk
Postal address: TradeScore, Glasgow, Scotland, United Kingdom

Please include enough detail for us to identify your account or request (for example the email you used to register) and describe what you would like us to do.

End of Privacy Policy