privacy-notice-v0.1.md
1. Who we are
TradeBoard provides an online vehicle deal tracking workspace for trade vehicle professionals. The service is used by sellers, buyers and brokers to manage vehicle handovers, documents, comments, files, collection details and deal access.
For some personal data, TradeBoard Ltd acts as a controller. This includes account administration, security, legal compliance records, service emails and business operations.
For deal and workflow data entered by customer organisations, TradeBoard will usually act as a processor on behalf of the customer organisation. The customer organisation is usually responsible for deciding why that data is used and who should have access to it.
2. Who this notice applies to
This notice applies to people who:
- register for a TradeBoard account;
- are invited to a TradeBoard deal;
- are listed on a deal as a seller, buyer, seller broker or buyer broker;
- upload files, add comments or use the workflow tools;
- contact TradeBoard for support or administration.
TradeBoard is intended for business users. It is not intended for children.
3. Personal data we collect
We may collect and use:
- name, email address, company, job title and phone numbers;
- profile photo or avatar if you upload one;
- account role, account status and authentication identifiers;
- vehicle deal access information, including whether you are listed as seller, buyer or broker;
- comments, file uploads and timeline events you create;
- notification and invitation records;
- locations, addresses and collection details added to deals;
- technical data such as IP address, browser information, device information, security logs and timestamps;
- legal acceptance records, including the document version accepted, time of acceptance, IP address and user agent.
Some deal files may contain personal data depending on what users upload. Users and customer organisations should avoid uploading unnecessary personal data.
During beta, users should avoid uploading unnecessary or high-risk personal data and should use suitable test or limited business data where practical.
4. How we receive personal data
We receive personal data when:
- you register or update your profile;
- another user adds your email address to a deal, team or invitation;
- you add comments, files or workflow updates;
- data is imported from a CSV, JSON file or authorised API source;
- our systems record security, audit or legal acceptance events.
5. Why we use personal data
We use personal data to:
- create and manage user accounts;
- authenticate users and protect access;
- show each user the deals they are listed on;
- support seller, buyer and broker collaboration;
- send operational emails, such as invitations, file upload alerts, comment alerts and status change alerts;
- store deal history, comments, files and timeline events;
- provide address, location and map features;
- manage support, troubleshooting and security;
- keep evidence of legal document acceptance;
- comply with legal obligations and protect TradeBoard, customers and users.
6. Lawful basis
Where TradeBoard acts as controller, we rely on the following lawful bases:
- Contract: to provide the TradeBoard service and manage accounts.
- Legitimate interests: to secure the service, send necessary operational notifications, improve the product, prevent misuse and support business customers.
- Legal obligation: where we must keep records or respond to lawful requests.
- Consent: where consent is legally required, such as non-essential cookies or marketing if introduced.
Where TradeBoard acts as processor, the customer organisation is responsible for identifying the lawful basis for its processing.
7. Who can see deal data
TradeBoard is designed so users can only see deals they are listed on or otherwise permitted to access. A person may be listed as:
- seller;
- buyer;
- seller broker;
- buyer broker.
People listed on a deal may see shared deal information, comments, files, timeline events and relevant workflow details. Some fields may be limited by side or role depending on the product permissions.
8. Sharing personal data
We share personal data only where needed to provide and secure the service. This may include:
- customer organisations and users listed on the same deal;
- hosting, authentication, storage and email providers;
- address, location and map providers where those features are used;
- professional advisers, insurers or legal representatives where necessary;
- regulators, courts or public authorities where required by law.
We do not sell personal data.
9. Sub-processors
TradeBoard uses trusted service providers to operate the service. The current sub-processor list is maintained in the TradeBoard Sub-Processors document.
10. International transfers
Some providers may process data outside the UK. Where this happens, TradeBoard Ltd will use appropriate safeguards required by UK data protection law, such as adequacy arrangements or approved contractual safeguards.
During beta, this wording must be checked against the final supplier configuration before paid launch. Relevant providers may include Cloudflare, Supabase, Resend, Google Maps, what3words, Swiftcomplete, DVSA MOT History API where relevant, broker/customer-configured integrations where relevant, and any support tooling used by TradeBoard.
11. How long we keep personal data
We keep personal data only as long as needed for the purposes described in this notice. Retention periods are described in the Retention and Deletion Policy.
In summary:
- account data is kept while the account is active and for a reasonable period afterwards;
- deal records are kept while needed for customer workflow, audit and business records;
- legal acceptance records are kept while needed to prove acceptance;
- security logs are kept for a limited period unless needed for an investigation;
- deleted files may remain in backups for a limited period.
12. Your rights
Depending on the circumstances, you may have rights to:
- access your personal data;
- correct inaccurate data;
- request deletion;
- restrict processing;
- object to processing;
- receive a copy of data in a portable format;
- complain to the Information Commissioner's Office.
Where TradeBoard processes data on behalf of a customer organisation, we may need to pass your request to that customer organisation.
13. Security
TradeBoard uses technical and organisational measures to protect personal data. These include authenticated access, role-based deal access, separate admin protection, managed hosting, storage controls and audit records.
No online service can be guaranteed to be completely secure. Users must keep login details secure and only upload appropriate business information.
14. Operational emails
TradeBoard sends operational emails needed for the service, such as sign-in messages, invitations, file upload alerts, comment alerts and status change alerts. These are service emails, not marketing emails.
If marketing emails are introduced, they will be handled separately.
15. Cookies and similar technologies
TradeBoard uses cookies or similar technologies that are necessary for authentication, session management and security. More detail is provided in the Cookie Policy.
16. Changes to this notice
We may update this Privacy Notice from time to time. Where changes are material, users may be asked to accept the updated version before continuing to use TradeBoard.
17. Contact
Beta contact details:
- Trading entity: TradeBoard Ltd.
- Contact email: hello@tradeboard.uk.
- Registered address: to be added once the company setup is complete.
- ICO registration: TradeBoard Ltd intends to apply for ICO registration once the company setup is complete.