Privacy Policy

1. Information We Collect

1.1 Information You Provide

We collect information you provide directly to us, including:

• Account registration data (name, email, company details)
• Profile information and preferences
• Customer and job data you input into our system
• Communication content (support tickets, chat messages)
• Payment information processed by Stripe
• SMS consent and phone numbers for communications

1.2 Automatically Collected Information

We automatically collect technical and usage data:

• Device information (IP address, browser type, operating system)
• Usage patterns and feature interactions
• Log files and error reports
• Session recordings for support and improvement purposes
• Location data (if you enable location services)
• Cookies and similar tracking technologies

1.3 Third-Party Sources

We may receive information from:

• Stripe (payment processing and fraud prevention)
• Twilio (SMS delivery status and phone number validation)
• Analytics providers (usage statistics and performance metrics)
• Public databases for business verification

1.4 Personal Access Tokens & API Metadata

When you generate Personal Access Tokens (PATs) we store only a salted hash, associated scopes, expiry dates, and audit metadata. We never persist the plaintext token value after creation. Each API request records the issuing user/org, token identifier, x-agent attribution, IP address, endpoint, status code, idempotency key, and timestamps so we can enforce rate limits, investigate abuse, and provide an audit trail.

2. How We Use Your Information

We use the information we collect to provide, maintain, and improve our services, process transactions, and communicate with you.

3. Information Sharing

We do not sell, trade, or rent your personal information to third parties. We may share your information only in specific circumstances outlined in this policy.

4. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Personal Access Tokens are stored as one-way hashes, transport is encrypted via TLS 1.2+, and sensitive configuration such as Stripe and Twilio credentials is segregated with role-based access controls. API audit logs are restricted to privileged staff and are retained only for the purposes outlined in this policy.

Supabase (our managed PostgreSQL provider) confirmed in their 2025 infrastructure audit that all databases, write-ahead logs, and object storage buckets are encrypted at rest using AES-256 with keys managed via HashiCorp Vault. We additionally encrypt file uploads during transit and generate signed URLs that expire automatically to minimize exposure.

5. Your Rights

Under GDPR, UK Data Protection Act 2018, and other applicable privacy laws, you have the following rights:

5.1 Access and Information

• Right to Access: Request copies of your personal data
• Right to Information: Understand how your data is processed

5.2 Control and Correction

• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion of your personal data
• Right to Restrict Processing: Limit how we use your data
• Right to Object: Object to processing for certain purposes

5.3 Data Portability

You have the right to receive your data in a structured, commonly used format and transfer it to another service provider.

5.4 How to Exercise Your Rights

To exercise these rights, contact us at privacy@toolfy.io with:

• Clear identification of yourself and your account
• Specific details of your request
• Proof of identity (if required)

We will respond within 30 days. For complex requests, we may extend this by 60 days with notification. You may also file complaints with your local data protection authority.

6. Cookies and Tracking Technologies

We use various technologies to collect and store information:

6.1 Types of Cookies

• Essential Cookies: Required for authentication and security
• Performance Cookies: Help us analyze usage and improve service
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Measure traffic and user behavior

6.2 Cookie Management

You can control cookies through your browser settings. Disabling essential cookies may affect service functionality. See our Cookie Policy for detailed information.

7. International Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place.

8. Data Retention

We keep your information only as long as needed for business and legal purposes:

8.1 Trades Record-Keeping Requirements

• Job records: 6 years (for warranty and Building Regulations compliance)
• Gas work certificates: 2 years minimum (Gas Safety Regulations)
• Electrical certificates: As per Part P requirements
• VAT records: 6 years (HMRC requirements)
• Employee records: Up to 6 years after employment ends
• Health & Safety records: 3 years minimum

8.2 Account Data

After you cancel your account, we keep essential records for legal compliance but delete unnecessary personal data within 90 days.

8.3 API Logs

API access logs (including hashed token identifiers, x-agent values, route information, and response metadata) are retained for up to 12 months to support security investigations, rate limiting, and customer support enquiries. Aggregated statistics may be stored longer in anonymised form.

9. Children's Privacy

Our services are not intended for children under 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided personal information, we will delete it promptly.

If you are a parent or guardian and believe your child has provided personal information to us, please contact privacy@toolfy.io immediately.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page.

11. UK-Specific Regulations

11.1 ICO Registration

We are registered with the UK Information Commissioner's Office (ICO). You can file complaints directly with the ICO at ico.org.uk if privacy concerns cannot be resolved with us directly.

11.2 PECR Compliance

Under UK Privacy and Electronic Communications Regulations (PECR), we:

• Obtain clear consent before sending marketing messages
• Provide easy opt-out mechanisms in all communications
• Respect Do Not Call preferences
• Comply with cookie consent requirements

11.3 Ofcom Telecommunications

For SMS services, we comply with Ofcom regulations including number portability rules and emergency services access requirements.

12. Contact Us

If you have questions about this privacy policy, please contact us at:

• Email: privacy@toolfy.io
• Address: Toolfy Ltd, London, UK
• ICO complaints: ico.org.uk

13. Legal Basis for Processing

We process your personal data based on:

• Contract performance (providing field service software)
• Legitimate business interests (service improvement, fraud prevention)
• Legal compliance (tax records, data protection obligations)
• Your consent (marketing communications, optional features)

13. Third-Party Services

We integrate with several third-party services that may process your data:

13.1 Payment Processing

Stripe, Inc. - Processes payments, stores payment methods, and conducts fraud prevention. Data shared includes billing information, transaction details, and usage patterns for risk assessment.Stripe Privacy Policy

13.2 Communication Services

Twilio Inc. - Handles SMS messaging and phone number provisioning. Data shared includes phone numbers, message content, and delivery status.Twilio Privacy Policy

Postmark (Wildbit, LLC) - Delivers transactional emails including invoices and notifications. Data shared includes email addresses and message content.Postmark Privacy Policy

13.3 Infrastructure and Analytics

Vercel Inc. - Hosts our application and collects performance data.Vercel Privacy Policy

Supabase Inc. - Provides database and authentication services.Supabase Privacy Policy

13.4 Data Sharing Limitations

We share only the minimum data necessary for these services to function. We have data processing agreements with these providers to ensure they protect your information according to applicable privacy laws.

14. Jurisdiction-Specific Rights

14.1 California Consumer Privacy Act (CCPA)

If you are a California resident, you have additional rights under CCPA:

• Right to Know: Categories and specific pieces of personal information collected
• Right to Delete: Request deletion of personal information (with exceptions)
• Right to Opt-Out: We do not sell personal information
• Right to Non-Discrimination: Equal service regardless of privacy choices
• Right to Correct: Request correction of inaccurate personal information

To exercise these rights, contact us at privacy@toolfy.io with "CCPA Request" in the subject line.

14.2 Canadian Personal Information Protection (PIPEDA)

For Canadian residents, we comply with PIPEDA principles:

• Consent: Meaningful consent for collection, use, and disclosure
• Limiting Collection: Collect only information necessary for identified purposes
• Access Rights: Right to access and correct personal information
• Complaints: Contact Privacy Commissioner of Canada for unresolved issues

14.3 Australian Privacy Principles (APP)

For Australian residents, we comply with the Privacy Act 1988:

• Collection Notice: Clear notice of collection purposes
• Access and Correction: Right to access and correct personal information
• Data Breach Notification: Notification of eligible data breaches
• Complaints: Contact Office of the Australian Information Commissioner

15. Data Protection Officer and Contacts

For privacy inquiries by jurisdiction:

• GDPR/UK inquiries: dpo@toolfy.io
• CCCA/US inquiries: privacy-us@toolfy.io
• PIPEDA/Canada inquiries: privacy-ca@toolfy.io
• APP/Australia inquiries: privacy-au@toolfy.io