Privacy Policy
Last updated: 2 June 2026 · Version: 1.1
This Privacy Policy explains how GMHCO LTD, trading as "TradesFlow" ("we", "us", "our"), collects and uses your personal data when you use the TradesFlow website and mobile apps (the "Platform"), and your rights under UK data protection law — the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025.
We are the data controller for the personal data described in this policy.
- Legal entity: GMHCO LTD, company number 16056150, registered in England & Wales
- Registered office: 5 Mallard Path, London, England, SE28 0EU
- ICO registration number: to be confirmed (registration in progress)
- Privacy contact: privacy@tradesflow.trade
1. The data we collect
Depending on whether you are a customer, a trader, or a visitor, we collect:
Account & identity
- name, email address, phone number, password (stored hashed), role (customer/trader)
- for traders: business details, ID document and selfie/verification data, insurance and
certification evidence, bank/payout details (handled via Stripe)
Job & transaction data
- job descriptions, location/address, photos and evidence you upload, quotes, change orders,
messages, completion confirmations, reviews and ratings
- payment and escrow records, payout records, refunds, VAT/fee information
Technical & usage data
- device identifiers and device fingerprint, IP address, app/browser type, language and
screen information, approximate or (for live job tracking) precise location, log data, and analytics about how you use the Platform
- cookies and similar technologies — see the Cookie Policy
Risk, fraud, and security data
- signals used for fraud, trust scoring, device trust, and AML monitoring (e.g. unusual
payment patterns, rapid cashouts, repeated cancellations)
We do not intentionally collect special-category data except where strictly necessary for identity verification (e.g. a biometric selfie check), which is carried out with appropriate safeguards and lawful basis.
2. Why we use it and our lawful bases
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Create and manage your account; provide the Platform | Contract |
| Match jobs, enable messaging, AI price guidance | Contract / Legitimate interests |
| Process payments, escrow, and payouts | Contract / Legal obligation |
| Trader verification (KYC), insurance & bank checks | Legal obligation / Contract |
| AML monitoring and fraud prevention; device trust; security | Legal obligation / Legitimate interests |
| Trust scores, reviews, and platform integrity | Legitimate interests |
| Live location tracking during an active job | Consent / Contract |
| Service emails and transactional notifications | Contract / Legitimate interests |
| Marketing communications | Consent (you can opt out at any time) |
| Analytics and improving the Platform | Legitimate interests / Consent (cookies) |
| Complying with law, tax, and responding to authorities | Legal obligation |
Where we rely on legitimate interests, we have balanced those interests against your rights. Where we rely on consent (e.g. marketing, certain cookies, precise location), you can withdraw it at any time.
3. Sharing your data
We share personal data only as needed to run the Platform:
- Between customers and traders — the information needed for a job (e.g. name, job
details, address for the trader you hire, messages). We do not share more than necessary.
- Stripe — our payments and identity/KYC partner, to process payments, escrow, payouts,
and verification.
- Firebase / Google Cloud — authentication, real-time data, push notifications, and
hosting infrastructure (London/EU region where possible).
- Service providers — email delivery, notifications, search, analytics, and error
monitoring, acting as our processors under contract.
- Authorities, regulators, and advisers — where required by law, to prevent fraud or
crime, or to establish, exercise, or defend legal claims.
We do not sell your personal data.
4. International transfers
We aim to store and process data in the UK/EU. Where a provider processes data outside the UK, we rely on appropriate safeguards (such as UK adequacy regulations or the ICO's International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses).
5. How long we keep it (retention)
We keep personal data only as long as necessary. Our core retention rules are:
- Payment and financial records — 7 years (legal/tax obligation)
- Audit logs — 7 years
- Chat / messages — 2 years
- Analytics — anonymised and retained in aggregate
- Account data — for the life of your account; after closure, deleted or anonymised
except where we must keep it (e.g. the financial/audit records above)
When you delete your account, we remove or anonymise your personal details but retain non-personal job and transaction records needed for legal compliance.
6. Your rights
You have the following rights over your personal data:
- the right to be informed about how we use your data — this policy provides that;
- the right of access — get a copy of the personal data we hold about you (a "subject
access request", or SAR);
- the right to rectification — have inaccurate or incomplete data corrected;
- the right to erasure (the "right to be forgotten") — subject to records we must keep,
such as financial and audit records;
- the right to restrict processing — limit how we use your data;
- the right to object — object to processing based on legitimate interests, and to
direct marketing at any time;
- the right to data portability — receive certain data in a portable, machine-readable
format;
- rights relating to automated decision-making and profiling — see section 6a;
- the right to withdraw consent at any time where we rely on consent.
You can make a subject access request, exercise data export, or delete your account directly in the app (Profile → Data & Privacy), or contact us at privacy@tradesflow.trade. We respond within one month, free of charge in most cases.
Complaints
If you are unhappy with how we handle your data, please tell us first at privacy@tradesflow.trade so we can try to put it right — the ICO asks individuals to give the organisation a chance to resolve a complaint (normally allowing one month to respond) before escalating. If you are still unhappy, you have the right to complain to the UK regulator, the Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint.
6a. Automated decisions and profiling
TradesFlow uses some automated processing to run the marketplace safely and efficiently — for example AI-assisted price guidance, automated job matching/dispatch, trust scores, and fraud, AML, and device-trust checks. Most of these support decisions rather than replace human judgement, and the price estimate is guidance only (you and the trader agree the actual price).
Where an automated check could significantly affect you — for example automatically restricting or blocking an account on fraud-risk grounds — you have the right not to be subject to a decision based solely on automated processing, to be told about it, to request human review, to express your point of view, and to contest the decision. Contact privacy@tradesflow.trade to ask for a human to review such a decision.
7. Consent tracking
Where you accept our terms or give consent (for example at sign-up, or for marketing or location), we record that consent timestamped and versioned, so we have an accurate record of what you agreed to and when.
8. Security
We protect your data with measures including encryption in transit, hashed passwords, role-based access control, backend-only handling of sensitive operations (no secrets on your device), device-bound sessions, device-trust and fraud monitoring, and infrastructure hardening (WAF, DDoS protection, rate limiting). No system is perfectly secure, but we work to protect your data and will notify you and the ICO of a breach where the law requires.
9. Children
The Platform is not intended for anyone under 18, and we do not knowingly collect data from children.
10. Changes and contact
We may update this policy; we will change the "Last updated" date and, for material changes, notify you. Questions or requests: privacy@tradesflow.trade, or write to GMHCO LTD, 5 Mallard Path, London, England, SE28 0EU.