Important: Tradelynx introduces customers and independent traders. Any work contract is between customer and trader.
Legal · Privacy

Privacy notice

What we collect, why, who we share it with, and what you can do about it. UK GDPR — written so you can read it.

Last updated19 April 2026
Versionv2.6.0
Reading time9 min
JurisdictionEngland & Wales

1 · Who we are

The data controller for personal data processed through the Tradelynx platform is Tradelynx Limited (registered in England and Wales, company number 17064008, registered office 2 Hayling Close, Fareham, Hampshire, PO14 3AE; ICO registration number ZC156126). For Tradelynx Enterprise customers, the enterprise organisation is the controller and Tradelynx Limited is the processor under the workspace data-processing addendum.

2 · What this notice covers

This notice covers how we handle personal data when you:

  • submit a customer enquiry or create a customer account,
  • sign in using magic links, email OTP, SMS OTP, or phone-call OTP,
  • sign up as a trader, upload documents, or complete identity verification,
  • message through Tradelynx, upload photos / files, or use support workflows,
  • use property-history, owner-verification, or paid report products,
  • use telephony features, public trader profiles, public listing pages, or enterprise / API features,
  • pay for subscriptions, entitlements, or other chargeable products.

3 · Categories of personal data we process

The exact data we process depends on the feature you use. The main categories are identity and contact data, property and job information, account and authentication data, communications, uploaded files, verification and compliance records, billing records, support records, technical security logs, and public profile information where a trader has enabled publication.

4 · Feature-by-feature summary

Feature
Typical data + main purposes
Likely lawful basis
Customer enquiries and jobs
Name, email, phone, postcode, address, job details, photos, scheduling preferences, messages — to route enquiries, manage bookings, support job delivery, keep records, and prevent misuse.
Contract; legitimate interests
Customer account sign-in
Email, phone number, OTP / magic-link metadata, login timestamps, IP / device data — to authenticate users, detect abuse, secure accounts.
Contract; legitimate interests
Trader sign-up and onboarding
Identity / contact data, business details, postcode, certifications, insurance documents, profile settings — to assess eligibility, create trader accounts, manage onboarding, decide trust signals.
Contract; legitimate interests
Trader identity verification
Verification session data, identity details submitted to DiDit, webhook outcomes, verification status and audit trail.
Legitimate interests; possible legal obligation
Property history and reports
Property identifiers, search queries, entitlement records, owner-verification submissions, report access logs, property-history entries.
Contract; legitimate interests
Messages, photos, and moderation
Message content, attachments, moderation flags, anti-bypass indicators, profanity / contact-sharing detection results.
Contract; legitimate interests
Telephony and SMS
Phone numbers, call / SMS metadata, call-control events, webhook events, OTP delivery records.
Contract; legitimate interests
Payments and subscriptions
Billing contact data, Stripe customer / subscription / session metadata, payment status, refunds, entitlements.
Contract; legal obligation; legitimate interests
Support and complaints
Support ticket content, contact details, attachments, dispute details, review / dispute metadata.
Contract; legitimate interests
Public trader profiles
Approved public profile fields: display name, town / trade coverage, bio, profile photo, badges, review counts, completed-job counts.
Legitimate interests; trader publication choice

5 · Sources of personal data

We collect personal data directly from you when you submit forms, create accounts, send messages, upload files, or contact support.

We also receive personal data from other sources in certain workflows:

  • from matched traders and customers during job delivery and messaging,
  • from DiDit when a trader completes or attempts identity verification,
  • from Stripe when a checkout, subscription, refund, or billing event occurs,
  • from Telnyx when SMS, calls, or call-control events are processed,
  • from public or customer-entered property details, owner-verification submissions, and property-history records,
  • from estate agents, insurers, lenders, or other enterprise users where they create or manage records in the platform.

6 · More detail by processing area

Customer enquiries and job handling

When a customer submits an enquiry, we process their contact details, property / job details, messages, uploaded media, and scheduling information to route the request, manage follow-up, support matched traders, and keep an auditable job history. Customer contact information is not intended to be shown on public pages.

Customer login (magic links and OTP)

We support email magic-link and OTP login, and some flows can also send a code by SMS or automated phone call. Those flows process email address, phone number, OTP generation and verification data, delivery channel, timestamps, and security metadata such as IP address and user agent where available.

Trader sign-up and document handling

Trader onboarding processes identity / contact details, business details, postcode, profile data, uploaded documents, extracted document metadata such as expiry dates and reference numbers, prescreening results, verification state, trust markers, and related audit logs. We may use these records to decide whether further manual review is required and whether a trader can access certain workflows.

Verification and automated operational decisioning

Tradelynx uses automated operational rules in several places, including lead routing, trader prescreening, message / contact-control enforcement, document extraction, and trust / reliability summaries. These processes help us route work, reduce abuse, prioritise the right follow-up, and decide whether manual review is required.

We do not currently describe these features as producing solely automated decisions with legal or similarly significant effects in every case, but some of them can materially affect workflow access, routing, visibility, and review requirements.

Property history and owner verification

Property-history workflows process property identifiers, address data, property-history entries, search queries, report access logs, entitlements, subscriptions, owner-verification requests, and evidence links. Access to richer report views depends on the access tier recorded in the platform — owner-authorised access, subscription-based access, or admin access.

Messaging, moderation, and image scanning

Message content and attachments can be checked against profanity and contact-sharing rules. Image scanning / contact-detection tooling is used on message attachments to reduce off-platform bypass and protect the marketplace.

Telephony, SMS, and call control

Telnyx-backed functionality is used for SMS delivery, automated OTP calls, public trade phone routing, and telephony webhook / call-control events. We log telephony events and redacted phone metadata for audit and troubleshooting. Tradelynx does not record calls; telephony data consists of event logs (call start, duration, outcome) only.

Trader ratings of customers

Traders who complete work at your property may leave an anonymised rating of the experience. This rating is only visible to traders who are offered future jobs at your property, is never publicly visible, is never attributed to a specific trader, and is accessible to you in aggregate form via your account settings at /c/account. You may request deletion of your rating data at any time by contacting privacy@tradelynx.co.uk.

7 · Recipients and sharing

Data flow
How personal data flows on TradelynxPersonal data flows from you (a customer or trader) into the Tradelynx platform. From there it is shared with the matched trader on a one-trader-at-a-time basis, with verification partners (DiDit and Companies House) for credential checks, and with Stripe (UK) for payments.YouCustomer or traderTradelynxPlatform & appMatched traderOne at a timeVerificationDiDit · Co. HousePaymentsStripe (EU/UK)

Depending on the workflow, we share personal data with:

  • matched traders and customers, where information is needed to progress a request or job;
  • estate agents, insurers, lenders, and other authorised enterprise users where the workflow or entitlement model permits access;
  • Supabase for hosting, database, authentication, and storage;
  • Stripe for payments, subscriptions, billing portal access, and refund handling;
  • Telnyx for SMS, telephony, and call-control operations;
  • Resend for transactional email delivery;
  • DiDit for trader identity verification;
  • Cloudflare Turnstile for abuse-prevention checks on selected public upload flows;
  • Geoapify, Postcodes.io, Mapbox, and OpenStreetMap-related services for location, map, postcode, and routing features;
  • professional advisers, auditors, insurers, regulators, courts, and law enforcement where required or appropriate.

The full processor list with locations, purposes, and transfer safeguards is in section 9 below. We update that list when a processor is added or replaced.

8 · Public pages and public profile disclosure

Tradelynx publishes public trader listing pages and public trader profile pages. These pages can be indexed by search engines. Approved public fields can include display name, town, trade, public bio, profile photo, badges / verification markers, review counts, completed job counts, skills, certifications, and areas covered.

Direct contact details are intended to stay off these public pages. Public trade phone numbers may also be published by town / trade as separate routing numbers where configured.

9 · International transfers of your data

Some of our third-party processors operate outside the UK. Where we transfer personal data internationally we rely on one of the following safeguards under UK GDPR Article 46:

  • Standard Contractual Clauses (SCCs) adopted under the UK's International Data Transfer Agreement (IDTA), including the UK Addendum to the EU SCCs where applicable.
  • Adequacy decisions made by the UK Secretary of State, including the UK-EEA adequacy regulations.

Our processors and the safeguard used:

Processor
Location · Purpose
Safeguard
Anthropic
USA · AI-assisted credential verification
UK IDTA SCCs
Resend
USA · Transactional email delivery
UK IDTA SCCs
Telnyx
USA · SMS and telephony routing
UK IDTA SCCs
Supabase
EU + USA · Database + auth
EU adequacy + UK IDTA SCCs
Stripe
USA + EU · Payment processing
UK IDTA SCCs
DiDit
EU · Identity verification
EU adequacy
Vercel
USA + EU · Application hosting + CDN
UK IDTA SCCs
Google Analytics
USA · Usage analytics
UK IDTA SCCs

You can request a copy of the relevant SCCs by contacting privacy@tradelynx.co.uk.

10 · Data retention

We keep personal data only for as long as needed for the purposes described in this notice, taking account of contractual, legal, accounting, dispute, fraud-prevention, and evidential needs. Headline retention values:

  • Lead enquiry data — 3 years from submission
  • Job records — 6 years from completion (HMRC statutory requirement)
  • Account data — deleted within 30 days of a verified account closure request
  • Trader verification documents — deleted within 90 days of application rejection, or 6 years from verification to support dispute resolution
  • Wellbeing check-in responses — stored anonymously with no personal identifiers, no deletion required
  • Marketing campaign records — 2 years

The fuller breakdown by category is in the Data Retention Schedule.

11 · Security, fraud prevention, and audit logging

We use authentication controls, row-level access controls, signed storage URLs, audit / event logging, webhook verification, rate limiting, abuse-prevention checks, moderation rules, and restricted admin / service-role access to protect platform data. Encryption is TLS 1.2+ in transit and AES-256-GCM at rest for sensitive columns.

We also keep security, audit, and operational logs to investigate misuse, protect users, and support legal or support enquiries. We notify the ICO and affected individuals within 72 hours of becoming aware of a notifiable breach.

12 · Lawful bases

Our main lawful bases:

  • Contract (or steps before entering a contract) — for core platform workflows such as enquiries, jobs, payments, subscriptions, and account access.
  • Legitimate interests — for routing, trust and safety, fraud prevention, moderation, support, audit logging, enterprise product operation, service improvement, and platform security.
  • Legal obligation — where we need to keep records for accounting, tax, dispute handling, law-enforcement response, or similar requirements.
  • Consent — where this is the appropriate basis for optional marketing or comparable optional communications.

A more detailed lawful-basis matrix is kept internally because different workflows sometimes rely on different bases for the same user type.

13 · Your rights

Access
Get a copy of your personal data
Rectification
Fix anything that is wrong
Erasure
Ask us to delete it ("right to be forgotten")
Restriction
Pause our use of it while we sort an issue
Portability
Export your data in a machine-readable format
Object
Tell us to stop using it for a particular purpose
Withdraw consent
Where we relied on consent
No automated decisions
We do not make decisions about you using algorithms alone

To exercise rights, contact privacy@tradelynx.co.uk. We may need to verify identity before actioning a request and may retain some data where we have an overriding lawful basis or legal obligation to do so.

14 · Cookies and similar technologies

We use cookies and similar technologies for authentication, account and session continuity, portal preference storage, security, and anti-abuse functionality. These are strictly necessary for the platform to operate.

We also use Google Analytics for anonymous, aggregated usage analytics. Analytics cookies are loaded only after you accept them via the consent banner. Full details are in our Cookie Policy.

15 · Complaints and contact

If you have a privacy concern, please contact us first at privacy@tradelynx.co.uk.

You can also complain to the Information Commissioner's Office at ico.org.uk or 0303 123 1113.