Trade-OSSign in

Last updated: May 2026

Privacy Policy

Who we are

Trade-OS is operated by GECKOSOFTWARE LTD (company number 16582317), registered at 16 Bowes Gate Drive, Lambton Park, Chester-le-Street, DH3 4DS. We are the controller for personal data we process for our own purposes — running subscriber accounts, securing and operating the platform, billing, abuse prevention, and de-identified product analytics. For the personal data a subscriber records about their own customers and proposal recipients, the subscriber is the controller and Trade-OS acts as their processor under our Data Processing Addendum.

ICO registration reference: ZC136332. Registering is a legal notification step — it does not mean the ICO has approved or endorsed Trade-OS.

Data we collect

  • Subscriber account data: email, identity and contact details you give us, branding assets, business profile fields, onboarding answers, catalogue and quoting data you enter.
  • Recipients (proposal viewers): limited interaction telemetry connected to proposals (for example device class, view timing, acceptance outcome) surfaced to the sender as business insight — detailed in-product.
  • Technical identifiers: IP address, coarse device/browser metadata, diagnostics for security and reliability.
  • Referral attribution: a first-party referral cookie (`tos_ref`) when you arrive with an approved referral parameter.

Purposes and lawful bases (UK GDPR)

We process data mainly to deliver the subscription you requested (contract); to secure accounts (contract / legitimate interests); to run proportionate diagnostics and aggregated insight for reliability and product improvement (often legitimate interests, balanced against your rights); and to comply with law where applicable (legal obligation). Marketing our own related services relies on legitimate interests — you may opt out of non-essential outreach where that applies.

Where you turn on Product safety & analytics (PostHog on this browser), we attach that narrowly-scoped telemetry to your choice on this device alongside the legitimate-interest purposes documented in our internal Privacy Policy — ask qualified advisers where you must treat that combination as consent rather than layered legitimate interests + consent.

  • Operating the platform — account, quotations, invoicing data you enter: contract (and overlapping security interests).
  • Safety and misuse prevention — sessions, anomalies, diagnostics: contract / legitimate interests.
  • Client observability when enabled — typed PostHog events only after preference; excludes raw quotes, customer contact fields, uploads, prompts, completions, sensitive line economics.
  • Anthropic-assisted features — server-side inference for parts of quoting/estimation/catalogue tooling where deployed. Structured customer contact fields are excluded from these requests by design; only content a subscriber deliberately enters into free-text is processed. Lawful basis: contract plus proportionate legitimate interests (see Subprocessors).

Proposal recipients

When subscribers send proposals, recipients receive personalised content the subscriber authored and controls. The subscriber is the controller of that recipient relationship and is responsible for any privacy information owed to their own customers. Trade-OS processes only minimal technical metadata (for example delivery and acceptance status, coarse device class, view timing) on the subscriber's behalf, and does not use identifiable recipient data for its own purposes. Trade-OS does not verify the job or outcomes — recipients should satisfy themselves directly with their tradesperson.

Who processes data with us

Our Subprocessors page lists Supabase (database/auth/storage), Vercel (hosting/CDN/runtime), AI inference processors such as Anthropic where AI-assisted features run, subscriber-chosen optional PostHog telemetry on this browser after you opt in while a PostHog key is configured, payment flows via Stripe when live credentials exist, and mail via Resend when those endpoints are wired. Vendor processing sits under written controller-to-processor terms (including standard DPAs or equivalent where offered).

Retention

We retain operational data while your subscription is active and for a reasonable aftermath period for billing, backups, audits, disputes, and legal holds. Automated schedules vary by subsystem — specifics can be requested from hello@tradeoshq.com. Aggregate analytics lacking identifiers may be kept longer.

Cookies and storage

See our Cookie overview (privacy preferences) — strictly necessary Supabase authentication cookies plus optional first-party referral storage. Where a PostHog key exists, subscriber-facing product safety and analytics uses localStorage only after explicit per-browser preference — autocapture/session replay disabled in configuration.

Your UK GDPR rights

  • Access, correction, erasure (subject to exemptions)
  • Restriction, objection where applicable
  • Portable copy and erasure — request-led via hello@tradeoshq.com, fulfilled within the statutory one-month period
  • Withdraw consent where consent was the lawful basis

Requests: hello@tradeoshq.com — target response within 30 days. You may complain to the ICO (ico.org.uk) — cite our reference above if helpful.

Technical and organisational security

  • Encryption in transit (HTTPS/TLS) plus provider-managed encryption at rest patterns
  • Authenticated access using Supabase Auth
  • Row Level Security partitioning tenant workloads on our database tier
  • Restricted production access for authorised operators only

More narrative context in our Security overview.

International transfers

Primary database hosting is UK/EU aligned (Supabase London). PostHog and Anthropic workloads may reside outside the UK — we rely on vendor standard terms, SCC-style mechanisms where applicable, and practical data minimisation. Current vendors and safeguards are outlined on Subprocessors.

Children

Trade-OS is for adult businesses — not marketed to under-18s. If we learn we hold a child's personal data mistakenly, contact us to remove it promptly.

Updates to this policy

We will update this page when practices change materially and note the new “Last updated” month. Operational updates may additionally appear in the product or routine email summaries when appropriate.

Privacy contact and ICO registration

Email: hello@tradeoshq.com
Registered office: 16 Bowes Gate Drive, Lambton Park, Chester-le-Street, DH3 4DS
Company: GECKOSOFTWARE LTD — 16582317 · ICO: ZC136332