GDPR Compliance Policy
Last updated: 19 March 2026
1. Introduction
Trade2Trade Ltd ("we", "us", "our") is committed to protecting the personal data of all users in compliance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018.
This policy explains how we process personal data, the legal bases for processing, and the rights available to data subjects when using our hospitality equipment repair marketplace platform.
2. Data Controller
Trade2Trade Ltd is the data controller for personal data collected through the Trade2Trade platform. For all data protection enquiries, contact our Data Protection Officer:
- Email: privacy@trade2trade.co.uk
- Address: Trade2Trade Ltd, United Kingdom
3. Lawful Bases for Processing
We process personal data under the following lawful bases as defined in Article 6 of the GDPR:
Contract Performance (Article 6(1)(b))
Processing necessary to provide our marketplace services, match venues with technicians, process job postings, manage escrow payments, and deliver the core platform functionality.
Legitimate Interests (Article 6(1)(f))
Platform security, fraud prevention, service improvement, and internal analytics. We conduct Legitimate Interest Assessments (LIAs) and balance our interests against data subject rights.
Consent (Article 6(1)(a))
Marketing communications, analytics cookies, and optional profiling. Consent is freely given, specific, informed, and can be withdrawn at any time without affecting prior processing.
Legal Obligation (Article 6(1)(c))
Tax records, financial reporting, anti-money laundering regulations, and compliance with UK law enforcement requests.
4. Personal Data We Process
We collect and process the following categories of personal data:
| Category | Data Types | Lawful Basis |
|---|---|---|
| Identity | Name, email, phone, business name | Contract |
| Professional | Certifications, qualifications, Gas Safe / electrical registration numbers | Contract / Legal Obligation |
| Financial | Payment details (processed via Stripe), invoicing information, bank details for payouts | Contract / Legal |
| Location | Venue address, technician service areas, geolocation for job matching | Contract / Legitimate Interest |
| Technical | IP address, browser type, device information, cookies | Legitimate Interest / Consent |
| Usage | Platform interactions, feature usage, search queries | Legitimate Interest / Consent |
| Communications | Messages between venues and technicians, support tickets | Contract |
5. Your Rights Under GDPR
As a data subject, you have the following rights. To exercise any of these rights, contact us at privacy@trade2trade.co.uk. We will respond within 30 days.
Right of Access (Article 15)
Request a copy of all personal data we hold about you, free of charge.
Right to Rectification (Article 16)
Request correction of inaccurate or incomplete personal data.
Right to Erasure (Article 17)
Request deletion of your personal data, subject to legal retention requirements.
Right to Restrict Processing (Article 18)
Request that we limit how we process your data in certain circumstances.
Right to Data Portability (Article 20)
Receive your data in a structured, machine-readable format (JSON/CSV).
Right to Object (Article 21)
Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent
Withdraw consent at any time for consent-based processing without affecting prior lawfulness.
Rights Regarding Automated Decisions (Article 22)
Not be subject to decisions based solely on automated processing that significantly affect you.
6. Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Data | Duration of account + 30 days | Service provision |
| Financial Records | 7 years | HMRC / tax requirements |
| Job History | 3 years after completion | Dispute resolution / warranty |
| Messages | 2 years | Dispute resolution |
| Audit Logs | 90 days | Security and compliance |
| Cookie Consent Records | 2 years | Regulatory proof of consent |
| Marketing Consent | Until withdrawn | Consent-based |
7. Data Processors and Third Parties
We share personal data with the following categories of processor, all bound by Data Processing Agreements (DPAs):
- Stripe — Payment processing and escrow management (PCI DSS compliant)
- Google Cloud / Analytics — Hosting infrastructure and anonymised analytics
- Email service provider — Transactional and marketing emails
- Google Gemini AI — Equipment diagnostics (no personal data sent; only equipment descriptions)
We do not sell personal data to third parties. Data sharing is strictly limited to what is necessary for platform operation.
8. International Data Transfers
Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the ICO
- UK International Data Transfer Agreement (IDTA)
- Adequacy decisions where applicable
- Processors certified under recognised frameworks
9. Data Security
We implement appropriate technical and organisational measures to protect personal data:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Secure authentication with optional two-factor authentication
- Regular security audits and penetration testing
- Role-based access controls with principle of least privilege
- Automated audit logging of all data access
- Data minimisation — we collect only what is necessary
- Regular staff training on data protection
10. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the ICO (Information Commissioner's Office) within 72 hours where feasible, if the breach is likely to result in a risk to rights and freedoms
- Notify affected data subjects without undue delay if the breach is likely to result in a high risk
- Document all breaches in our internal breach register, including remedial actions taken
11. Cookies and Consent Management
We use a granular cookie consent mechanism that allows you to control which cookies are placed on your device. Essential cookies required for platform functionality cannot be disabled. For all other categories (functional, analytics, marketing), explicit consent is obtained before any cookies are set.
You can update your cookie preferences at any time via the cookie banner or by visiting our Cookie Policy.
12. Children's Data
Trade2Trade is a B2B marketplace. Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
13. Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) for any processing that is likely to result in a high risk to the rights and freedoms of data subjects, including new features involving profiling, large-scale data processing, or automated decision-making.
14. Complaints
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We encourage you to contact us first so we can try to resolve your concern: privacy@trade2trade.co.uk
15. Related Policies
16. Changes to This Policy
We may update this GDPR policy to reflect changes in our practices or regulatory requirements. Material changes will be notified via email and platform notification. The "Last updated" date at the top of this page indicates the latest revision.