1. Who We Are
Tradelynx Limited ("Tradelynx", "we", "us", "our") operates a property-work platform used by homeowners, traders, estate agents, property managers, insurers, lenders, and platform administrators.
For most of the processing described in this notice, Tradelynx is the controller of your personal data. In some workflows, other parties such as matched traders, estate agents, insurers, lenders, or property managers will also process personal data for their own purposes once information is shared with them through the platform.
- Controller: Tradelynx Limited
- Registered office: 2 Hayling Close, Fareham, Hampshire, PO14 3AE
- Privacy contact: privacy@tradelynx.co.uk
- General support: support@tradelynx.co.uk
2. What This Notice Covers
This notice covers how we handle personal data when you:
- submit a customer enquiry or create a customer account
- sign in using magic links, email OTP, SMS OTP, or phone-call OTP
- sign up as a trader, upload documents, or complete identity verification
- message through Tradelynx, upload photos/files, or use support workflows
- use property-history, owner-verification, or paid report products
- use telephony features, public trader profiles, public listing pages, or enterprise/API features
- pay for subscriptions, entitlements, or other chargeable products
3. Categories of Personal Data We Process
The exact data we process depends on the feature you use. The main categories are identity and contact data, property and job information, account and authentication data, communications, uploaded files, verification and compliance records, billing records, support records, technical security logs, and public profile information where a trader has enabled publication.
4. Feature-by-Feature Summary
| Feature | Typical data | Main purposes | Likely lawful bases |
|---|---|---|---|
| Customer enquiries and jobs | Name, email, phone, postcode, address, job details, photos, scheduling preferences, messages | Route enquiries, manage bookings, support job delivery, keep records, prevent misuse | Contract steps; legitimate interests in operating and securing the platform |
| Customer account sign-in | Email, phone number, OTP/magic-link metadata, login timestamps, IP/device data | Authenticate users, detect abuse, secure accounts, route users to the right workspace | Contract; legitimate interests in account security and fraud prevention |
| Trader sign-up and onboarding | Identity/contact data, business details, postcode, certifications, insurance documents, profile settings | Assess eligibility, create trader accounts, manage onboarding and public/private trust signals | Contract steps; legitimate interests in safety, quality control, and fraud prevention |
| Trader identity verification | Verification session data, identity details submitted to Didit, webhook outcomes, verification status and audit trail | Verify trader identity, reduce fraud, support trust and compliance decisions | Legitimate interests in platform safety and fraud prevention; possible legal/compliance obligations depending on future policy |
| Property history and reports | Property identifiers, search queries, entitlement records, owner-verification submissions, report access logs, property-history entries | Provide property-history products, control access, log usage, support owner claims and enterprise use cases | Contract; legitimate interests in access control, product security, auditability, and B2B reporting |
| Messages, photos, and moderation | Message content, attachments, moderation flags, anti-bypass indicators, profanity/contact-sharing detection results | Enable communication, enforce contact controls, reduce off-platform bypass, protect users, maintain records | Contract; legitimate interests in safety, abuse prevention, and marketplace integrity |
| Telephony and SMS | Phone numbers, call/SMS metadata, call-control events, webhook events, OTP delivery records | Send login codes, manage masked/operational calling, log telephony events, investigate failures | Contract; legitimate interests in communication, service operations, and fraud prevention |
| Payments and subscriptions | Billing contact data, Stripe customer/subscription/session metadata, payment status, refunds, entitlements | Take payment, manage subscriptions, grant entitlements, reconcile transactions, handle refunds | Contract; legal obligations for accounting/tax; legitimate interests in fraud prevention and reconciliation |
| Support and complaints | Support ticket content, contact details, attachments, dispute details, review/dispute metadata | Resolve support requests, complaints, disputes, and platform-quality issues | Contract; legitimate interests in customer support, quality control, legal defence, and complaint handling |
| Public trader profiles and listing pages | Approved public profile fields such as display name, town/trade coverage, bio, profile photo, badges, review counts, completed-job counts | Support trust, search visibility, and customer confidence | Legitimate interests in marketing and product trust; trader publication choice/settings where applicable |
5. Sources of Personal Data
We collect personal data directly from you when you submit forms, create accounts, send messages, upload files, or contact support.
We also receive personal data from other sources in certain workflows, including:
- from matched traders and customers during job delivery and messaging
- from Didit when a trader completes or attempts identity verification
- from Stripe when a checkout, subscription, refund, or billing event occurs
- from Telnyx when SMS, calls, or call-control events are processed
- from public or customer-entered property details, owner-verification submissions, and property-history records
- from estate agents, insurers, lenders, or other enterprise users where they create or manage records in the platform
6. More Detail by Processing Area
Customer lead submission and job handling
When a customer submits an enquiry, we process their contact details, property/job details, messages, uploaded media, and scheduling information to route the request, manage follow-up, support matched traders, and keep an auditable job history. Customer contact information is not intended to be shown on public pages.
Customer login, magic links, and OTP
We support email magic-link and OTP login, and some login flows can also send a code by SMS or automated phone call. Those flows process email address, phone number, OTP generation and verification data, delivery channel, timestamps, and security metadata such as IP address and user agent where available.
Trader sign-up, document handling, and trust signals
Trader onboarding processes identity/contact details, business details, postcode, profile data, uploaded documents, extracted document metadata such as expiry dates and reference numbers, prescreening results, verification state, trust markers, and related audit logs. We may use these records to decide whether further manual review is required and whether a trader can access certain workflows.
Verification and automated operational decisioning
Tradelynx uses automated operational rules in several places, including lead routing, trader prescreening, message/contact-control enforcement, document extraction, and trust/reliability summaries. These processes help us route work, reduce abuse, prioritise the right follow-up, and decide whether manual review is required.
We do not currently describe these features as producing solely automated decisions with legal or similarly significant effects in every case, but some of them can materially affect workflow access, routing, visibility, and review requirements. This area should be reviewed with external legal counsel before final sign-off.
Property history, owner verification, and industry access
Property-history workflows process property identifiers, address data, property-history entries, search queries, report access logs, entitlements, subscriptions, owner-verification requests, and evidence links. Access to richer report views depends on the access tier recorded in the platform, such as owner-authorized access, subscription-based access, or admin access.
Property-history entries may come from platform job history, owner/customer submissions, trader-confirmed or admin-verified information, and other internal records. The exact provenance of every historical entry should be confirmed before legal sign-off where the product intends to make stronger provenance claims.
Messaging, moderation, and image scanning
Message content and attachments can be checked against profanity and contact-sharing rules. The codebase also contains image scanning/contact-detection tooling for message attachments. This is used to reduce off-platform bypass, enforce safety rules, and protect the marketplace.
Telephony, SMS, and call control
Telnyx-backed functionality is used for SMS delivery, automated OTP calls, public trade phone routing, and telephony webhook/call-control events. We log telephony events and redacted phone metadata for audit and troubleshooting.
Support, reviews, and disputes
We process support tickets, support messages, complaints, disputes, review content, dispute flags, admin resolution states, and related notifications so we can support users, investigate issues, and keep a clear audit trail.
7. Recipients and Sharing
Depending on the workflow, we share personal data with the following categories of recipient:
- matched traders and customers, where information is needed to progress a request or job
- estate agents, insurers, lenders, and other authorised enterprise users where the workflow or entitlement model permits access
- Supabase for hosting, database, authentication, and storage
- Stripe for payments, subscriptions, billing portal access, and refund handling
- Telnyx for SMS, telephony, and call-control operations
- Resend for transactional email delivery
- Didit for trader identity verification
- Cloudflare Turnstile for abuse-prevention checks on selected public upload flows
- Geoapify, Postcodes.io, Mapbox, and OpenStreetMap-related services for location, map, postcode, and routing features
- professional advisers, auditors, insurers, regulators, courts, and law enforcement where required or appropriate
The detailed processor and recipient schedule is maintained internally. A public subprocessor page is recommended before launch.
8. Public Pages and Public Profile Disclosure
Tradelynx publishes public trader listing pages and public trader profile pages. These pages can be indexed by search engines. The code indicates that approved public fields can include display name, town, trade, public bio, profile photo, badges/verification markers, review counts, completed job counts, skills, certifications, and areas covered.
Direct contact details are intended to stay off these public pages. Public trade phone numbers may also be published by town/trade as separate routing numbers where configured.
9. International Transfers
Some of our processors may process data outside the UK. This can include, depending on provider setup and region choices, email delivery, fraud-prevention checks, verification, AI-assisted document extraction, analytics, and infrastructure providers.
Where UK personal data is transferred internationally, we expect to rely on appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to the EU SCCs, or adequacy regulations, together with contractual and technical controls. The exact safeguard wording and provider-region positions require founder and legal confirmation.
10. Retention
We keep personal data only for as long as needed for the purposes described in this notice, taking account of contractual, legal, accounting, dispute, fraud-prevention, and evidential needs.
Our current retention schedule is set out in the Data Retention Schedule.
11. Security, Fraud Prevention, and Audit Logging
We use authentication controls, row-level access controls, signed storage URLs, audit/event logging, webhook verification, rate limiting, abuse prevention checks, moderation rules, and restricted admin/service-role access to help protect platform data.
We also keep security, audit, and operational logs to investigate misuse, protect users, and support legal or support enquiries.
12. Lawful Bases
Our main lawful bases are:
- contract or steps before entering a contract, for core platform workflows such as enquiries, jobs, payments, subscriptions, and account access
- legitimate interests, for routing, trust and safety, fraud prevention, moderation, support, audit logging, enterprise product operation, service improvement, and platform security
- legal obligation, where we need to keep records for accounting, tax, dispute handling, law-enforcement response, or similar legal requirements
- consent, where this is the appropriate basis for optional marketing or comparable optional communications
A more detailed lawful-basis matrix is kept internally because different workflows sometimes rely on different bases for the same user type.
13. Your Rights
You may have rights to:
- request access to your personal data
- request correction of inaccurate or incomplete personal data
- request erasure in some circumstances
- object to or restrict processing in some circumstances
- request portability where the law applies
- withdraw consent where we rely on consent
- complain to the UK Information Commissioner’s Office
To exercise rights, contact privacy@tradelynx.co.uk. We may need to verify identity before actioning a request and may retain some data where we have an overriding lawful basis or legal obligation to do so.
14. Cookies and Similar Technologies
The codebase uses cookies and similar technologies for authentication, account/session continuity, portal preference storage, security, and some anti-abuse functionality. A separate cookie notice and consent approach may be required depending on the final analytics and non-essential cookie setup.
PECR compliance for analytics or non-essential cookies requires a final implementation review before launch.
15. Complaints
If you have a privacy concern, please contact us first at privacy@tradelynx.co.uk.
You can also complain to the Information Commissioner’s Office: https://ico.org.uk/.