Legal
Privacy Policy
Effective 21 May 2026. Plain English summary, then the detail.
In one paragraph
We collect the minimum information needed to run a referral platform: account details for users, customer contact details that partners submit (with the customer's consent), and standard billing details for paying companies. We don't sell data, don't use it for advertising, and only share it with the services we need to operate (Stripe, Resend, Vercel, Neon). You can ask us for a copy of your data, or to delete it, by emailing [email protected].
1. Who we are
TradeRefer("we", "us") is operated as a sole trader business in the United Kingdom. For privacy matters, contact [email protected].
2. What we collect & why
We collect three categories of personal data:
- Account information— name, email, phone, business name and (where relevant) UK bank sort code and account number, so partners can be paid. Lawful basis: performance of a contract (you've asked us to provide the service).
- Customer referral data— when a partner submits a referral, we receive the end customer's name, phone, email, address and any notes. The partner confirms at submission that they have the customer's permission to share these details. Lawful basis: legitimate interest of the business receiving the referral, with the partner having obtained the customer's consent.
- Billing information — handled by Stripe. We see the last 4 digits of the card and the billing email; we never see or store full card numbers.
3. Who's the data controller?
For account-level data (logins, billing, partner profiles),TradeRefer is the data controller. For end-customer referral data submitted by partners, the Customer business running the programme is the data controller — we act as their processor. If you're a customer who was referred to a business through this platform and want to exercise your rights, contact that business directly; we'll cooperate with them on any request.
4. How we use your data
- To create and manage your account and provide the service.
- To send transactional emails (signup confirmation, password reset, new-referral alerts, billing receipts).
- To debug, secure and improve the platform — we keep server logs and error traces for a limited period.
- To comply with legal obligations (tax records, anti-fraud, valid requests from authorities).
We do notuse your data for advertising, don't sell it to anyone, and don't share it with third parties beyond the operational subprocessors below.
5. Subprocessors
We use the following services to operate TradeRefer:
- Vercel — hosting and edge delivery (USA, with EU edge locations). Standard Contractual Clauses in place.
- Neon — managed Postgres database, EU (London / Ireland) region.
- Stripe — subscription billing and payments. Stripe is the data controller for card data.
- Resend — transactional email delivery (EU).
- Cloudflare — DNS, CDN and edge security (USA with EU edge locations).
Each service has its own privacy policy and processes data only on our instructions.
6. How long we keep data
- Account data — for as long as the account is open, plus 6 years afterwards for accounting/tax compliance (HMRC requires retention of business records).
- Referral data— retained while the receiving business's account is active. Closed accounts have their referral data deleted after a reasonable wind-down period.
- Server logs — usually 30 days, longer for security investigations.
7. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Have it corrected if inaccurate.
- Have it deleted (subject to retention obligations above).
- Restrict or object to processing.
- Export it in a portable format.
- Complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
To exercise any of these rights, email [email protected]. We'll respond within one calendar month.
8. Cookies
We use a single first-party cookie (traderefer_session) to keep you logged in. It's essential for the service to work — no marketing or analytics cookies are set. We don't use Google Analytics or any similar tracking.
9. International transfers
Most of our data sits in EU regions (Neon, Resend) or on-premise UK infrastructure. Where data flows to non-EU countries (Vercel and Cloudflare edge infrastructure), we rely on the UK's adequacy mechanisms and Standard Contractual Clauses.
10. Security
Passwords are hashed with bcrypt before storage. All traffic is encrypted in transit (HTTPS, HSTS). Database backups are encrypted at rest. We'll notify affected users and the ICO within 72 hours of any breach that puts personal data at risk.
11. Changes to this policy
We'll update this page when our practices change. If the change is material, we'll notify active users by email. The effective date at the top of this page always shows the current version.
12. Contact
Privacy questions, data requests, or complaints: [email protected].
This policy is a working draft pending review by a UK solicitor. The substance reflects our actual practice, but the wording will be tightened before TradeRefer reaches material scale.
