This policy explains how Graft Up(“Graft Up”) handles personal data, in line with UK GDPR and the Data Protection Act 2018. Contact us about privacy at support@graftup.co.uk.
1. Who is the controller
Graft Up is the data controller for your account and how you use the service. For the information you enter about your own customers (names, addresses, contact details, job history), you are the controller and Graft Up acts as your processor, handling that data only on your instructions to run the service.
2. What we collect
- Account details - your name, email and business profile.
- Business data you enter - customers, properties, jobs, quotes, invoices, certificates, photos and notes.
- Subscription data - your plan status and the identifiers our payment processor returns. We do not store your card details.
- Technical data - basic usage and device/log information needed to run and secure the service.
3. How and why we use it
- To provide the service to you (performance of our contract).
- To secure, maintain and improve Graft Up (our legitimate interests).
- To send you service and account emails, and - only with your consent - any marketing.
- To comply with our legal obligations.
4. Who we share it with
We don't sell your data. We use trusted sub-processors to run the service:
- Supabase - database, authentication and file storage.
- Vercel - application hosting.
- Mollie - our subscription billing.
- Stripe - processing card/bank payments from your customers to you.
- Resend - sending transactional email.
- Anthropic - AI features (e.g. receipt scanning), used only if you enable them and only for the content you submit.
We may also disclose data where required by law.
5. International transfers
Some sub-processors operate outside the UK. Where they do, we rely on appropriate safeguards (such as the UK International Data Transfer Agreement or an adequacy decision).
6. How long we keep it
We keep your data while your account is active and for a reasonable period afterwards, then delete or anonymise it. You can delete records in the app at any time; routine backups cycle out over time.
7. Security
Data is encrypted in transit, access is restricted, and the app is offline-first with data held locally on your device and synced securely. No system is perfectly secure, but we take reasonable steps to protect your data.
8. Cookies & local storage
Graft Up uses your browser's local storage to run the offline-first app and to keep you signed in. We do not use third-party advertising or tracking cookies.
9. Your rights
Under UK GDPR you can ask to access, correct, delete, restrict or port your personal data, or object to certain processing. Email support@graftup.co.ukand we'll respond. You can also complain to the Information Commissioner's Office (ico.org.uk).
10. Children
Graft Up is for businesses and is not intended for anyone under 18.
11. Changes & contact
We may update this policy and will post the new version here. Questions? Email support@graftup.co.uk.