Legal

Privacy Policy

Last updated: 19 April 2026

1. Who we are

Guildly (“we”, “us”, “Guildly”) operates the platform at guildly.co.uk. For the personal data of customers and tradespeople who use the platform, Guildly acts as a data controller. Where a tradesperson receives customer details through the platform in order to deliver a service, that tradesperson is an independent data controller for their own use of that data.

Contact: [email protected].

2. What we collect

Account information. Name, business name (for trades), email address, mobile number, postcode, address (customers, for job delivery). Provided by you at signup.

Profile information (trades only). Trade type, working area, bio, photos, pricing, working hours. Provided by you when completing your profile.

Activity data. Enquiries, quotes, bookings, messages, reviews. Generated as you use the platform.

Billing data. Subscription status, credit purchases. Payment card details are handled by Stripe — we never see or store them.

Technical data. IP address, browser type, device type, session cookies. Collected automatically by our hosting provider and authentication layer.

3. Why we use it (lawful basis)

  • To deliver the service you signed up for — account management, matching customers to trades, quote and booking flow. Lawful basis: performance of a contract (UK GDPR Article 6(1)(b)).
  • To prevent abuse — maintaining review integrity, detecting fraud, enforcing our Acceptable Use Policy. Lawful basis: legitimate interests (Article 6(1)(f)).
  • To send operational messages — quote notifications, booking confirmations, review prompts, billing receipts. Lawful basis: performance of a contract.
  • To comply with legal obligations — responding to data subject requests, regulatory requirements, court orders. Lawful basis: legal obligation (Article 6(1)(c)).

4. How long we keep it

Active accounts: for as long as the account exists.

Deleted accounts: profile fields are nulled at the point of deletion. Reviews are anonymised but retained — they represent the experience of another person on the platform and are kept to preserve trust signals for everyone else. Aggregate rating data persists.

Trash folder: enquiries you remove sit in the recycle bin for 30 days before permanent deletion. You can restore or purge earlier.

Historical signup records (email + plan history) are kept to prevent trial abuse. No identifying personal data beyond email is retained in this registry.

5. Who we share it with

We share data only with the sub-processors we need to run the service:

  • Supabase — database and authentication (EU region).
  • Stripe — payment processing.
  • Resend — transactional email delivery.
  • Twilio — SMS and voice handling.
  • Vercel — web hosting.
  • Anthropic — AI assistance for enquiry classification. Messages sent to Anthropic are not used to train their models.

When you are matched to a tradesperson and accept their quote, they receive the contact details needed to deliver the work. From that point they are an independent controller for their own records, governed by their own privacy practices.

6. International transfers

Our primary data storage is in the EU. Some sub-processors (Stripe, Resend, Vercel, Anthropic) may process data outside the UK and EEA. Where this happens we rely on appropriate safeguards including the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

7. Your rights

Under UK GDPR you have the right to:

  • Access your data — available as a one-click JSON export in Settings (for both trades and customers).
  • Rectify inaccurate data — edit your profile and settings at any time.
  • Erase your account — one-click from Privacy settings, with the retention caveats in section 4.
  • Port your data — the same JSON export is structured for portability.
  • Object to processing, or request restriction, for any processing based on legitimate interests.
  • Withdraw consent where we rely on it. Most of what we do is contract- or legitimate-interest-based rather than consent-based, so this applies narrowly.
  • Complain to the Information Commissioner's Office (ICO) at ico.org.uk. We'd ask you to contact us first so we can try to resolve the issue.

To exercise any right that isn't self-serve, email [email protected]. We respond within 30 days.

8. Security

Authentication is handled by Supabase Auth with password hashing and session tokens. Database access is restricted by row-level security policies. Payment card data is handled exclusively by Stripe — we never see it. All traffic is served over HTTPS.

9. Changes to this policy

We'll update the “Last updated” date above when this page changes. Material changes will be announced by email to account holders.