1. Who we are
OnlyTrade is operated by Howells Digital Ltd, a company registered in England and Wales. We are the data controller for personal data collected through onlytrade.ai and the OnlyTrade app.
Contact details:
2. Data we collect
2.1 Account data
When you create an account, we collect:
- Full name
- Business name & trading name
- Email address and phone number
- Trade type (plumber, electrician, etc.)
- Business address & service area
- Accreditation numbers (Gas Safe, NICEIC, NAPIT, etc. — optional)
- Password (stored as a bcrypt hash; we never see your plain-text password)
2.2 Customer data you enter
OnlyTrade is a tool for managing your own customers. You may enter personal data about your customers (names, addresses, phone numbers, email addresses, job history, photos). For that data, you are the data controller and we are the data processor. Our responsibilities are set out in our Data Processing Agreement (available on request).
2.3 Usage & device data
When you use the app, we collect:
- IP address, device type, browser, operating system
- Pages visited, features used, session length
- Error and crash reports
- Approximate location (city-level, from IP)
- Precise location (only when you enable GPS tracking for jobs — fully optional)
2.4 Payment data
Card and Direct Debit payments are processed by our payment providers (Stripe and GoCardless). We never store full card numbers. We receive only the last 4 digits, the card type, expiry date, and a tokenised reference.
2.5 Marketing data
If you subscribe to our newsletter or request information, we hold your email address and marketing preferences.
3. How we use your data
We use personal data to:
- Provide and operate the OnlyTrade app and website
- Process payments and manage subscriptions
- Send service emails (receipts, renewal reminders, security alerts)
- Provide customer support
- Improve our product, detect bugs, and prevent abuse
- Send you marketing emails only if you have opted in — you can unsubscribe at any time
- Comply with legal obligations (tax, accounting, law enforcement)
We do not sell your personal data. We do not share it with third parties for their own marketing purposes.
4. Lawful basis for processing
Under the UK GDPR, we rely on the following lawful bases:
- Contract — to deliver the app you’ve subscribed to
- Legitimate interests — to secure the service, prevent fraud, and improve the product
- Legal obligation — for tax records, anti-money-laundering, and responding to lawful authorities
- Consent — for marketing emails, non-essential cookies, and any processing beyond the above (you can withdraw consent at any time)
5. Who we share data with
We share data only with trusted sub-processors, each bound by a data processing agreement:
- Hetzner Online GmbH — server hosting (EU, Germany)
- Cloudflare — CDN, DDoS protection, and DNS
- Stripe Payments UK Ltd — card payments
- GoCardless Ltd — Direct Debit payments
- Postmark (ActiveCampaign LLC) — transactional email delivery
- Twilio Ireland Ltd — SMS notifications
- Anthropic Ireland Ltd — AI features (only for users on plans where AI is enabled)
- Our accountants and professional advisers — bound by confidentiality
A current list of sub-processors is available on request. We may also disclose data if required by law (court order, regulatory request, or law enforcement under UK law).
6. International transfers
All primary data processing and storage happens in the UK and EU. Where a sub-processor processes data outside the UK/EU (e.g. US-headquartered companies), we rely on the UK International Data Transfer Agreement (IDTA), Standard Contractual Clauses (SCCs), or UK adequacy regulations as appropriate.
7. How long we keep data
- Account data: kept while your account is active. Deleted within 30 days of account closure, unless we’re legally required to keep it longer.
- Invoice/accounting records: kept for 6 years from the end of the tax year, as required by HMRC.
- Customer data you enter: you control retention. We delete it when you delete it, or within 30 days of account closure.
- Usage logs: kept for up to 90 days, then anonymised.
- Backups: retained for 35 days on a rolling basis.
- Marketing data: kept until you unsubscribe.
8. Your rights under UK GDPR
You have the following rights over your personal data:
- Right of access — a copy of what we hold about you
- Right to rectification — correct inaccurate data
- Right to erasure (“right to be forgotten”) — delete your data, subject to legal obligations
- Right to restrict processing
- Right to data portability — export in a machine-readable format
- Right to object — including to direct marketing and automated decision-making
- Right to withdraw consent at any time
To exercise any of these, email privacy@onlytrade.ai. We will respond within one calendar month. See our separate GDPR page for the full walkthrough.
9. Security
We take security seriously. All connections are encrypted in transit (TLS 1.2+), passwords are stored as bcrypt hashes, databases are encrypted at rest, and we run continuous monitoring. For the full details of how we protect your data, see our Security page.
If we ever suffer a personal data breach that poses a risk to your rights, we will notify the ICO within 72 hours and, where required, notify affected users directly.
10. Children’s data
OnlyTrade is a B2B tool for registered tradespeople. The service is not directed at children under 18 and we do not knowingly collect personal data from children. If you believe we hold a child’s data, contact us and we will delete it.
11. Changes to this policy
We may update this policy to reflect changes to our services or legal requirements. If we make material changes, we’ll notify you by email at least 30 days before the changes take effect. The “last updated” date at the top of this page always reflects the current version.
Questions or concerns about privacy? Contact us:
If you’re not satisfied with our response, you can complain to the Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
This policy is written in plain English wherever possible. If anything is unclear, email us and we’ll explain it in simpler terms.