1. Introduction
This Privacy Policy explains how Contraxus Limited ("Contraxus", "we", "us", "our") collects, uses, stores, shares and protects your personal data when you use our platform, websites, applications and services (the "Service").
Contraxus is a UK-registered company that operates an online marketplace connecting hospitality businesses with contractors and tradespeople.
We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and other applicable data protection laws.
2. Data Controller
For the purposes of UK data protection law, the data controller is:
Contraxus Limited
Company Number: 17038689
Registered Address: Unit 5b Eleventh Avenue North, Team Valley, Gateshead, Tyne & Wear, NE11 0NJ
Email: support@contraxus.com
If you have any questions about this Privacy Policy or our data practices, contact us at privacy@contraxus.com.
3. What Personal Data We Collect
We collect and process the following categories of personal data:
3.1 Information You Provide Directly
| Data Category | Examples | Who This Applies To |
|---|---|---|
| Account information | Email address, first name, last name, password | All users |
| Business details | Company name, company registration number, business structure, business type, VAT number | Contractors, Businesses |
| Contact details | Phone number, business email address | Contractors, Businesses |
| Address information | Business address, registered office address, postcode, city, county, country | Contractors, Businesses |
| Professional profile | Bio/description, trades, years in business, emergency service availability | Contractors |
| Compliance documents | Insurance certificates, accreditation documents, qualification certificates, registration numbers | Contractors |
| Job information | Job titles, descriptions, budget ranges, timelines, requirements | Businesses |
| Payment information | Billing address, payment method type (card brand, last 4 digits, expiry) | All paying users |
| Communications | Messages between users, support emails, review and rating content | All users |
| Identity verification | Companies House registration data (company name, number, status, date of incorporation, SIC codes) | Contractors (Ltd/LLP) |
3.2 Information Collected Automatically
| Data Category | Examples | Purpose |
|---|---|---|
| Location data | Latitude and longitude derived from your business address (via Google Places API) | Matching contractors with nearby businesses |
| Usage data | Pages visited, features used, job views, application activity | Service improvement and analytics |
| Device and browser data | IP address, browser type and version, operating system, device type | Security, fraud prevention, troubleshooting |
| Authentication data | Login timestamps, session tokens, authentication events | Security and access management |
| Cookie data | Session cookies, authentication cookies | See Section 11 (Cookies) |
3.3 Information from Third Parties
| Source | Data Received | Purpose |
|---|---|---|
| Auth0 (authentication provider) | Authentication tokens, user identifiers, login metadata | Secure sign-in and identity verification |
| Stripe (payment processor) | Payment confirmation, card brand, last 4 digits, expiry, billing address, payment status | Subscription billing and payment management |
| Google Places API | Address details, geographic coordinates, place identifiers | Address verification and location-based matching |
| Companies House | Company name, registration number, company status, date of incorporation, registered address, SIC codes | Business verification for Limited Companies and LLPs |
3.4 Special Category Data
We do not intentionally collect special category data (such as data concerning health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, or sexual orientation). If you include such data in free-text fields (e.g. a bio or message), you do so at your own discretion.
4. How We Use Your Personal Data
We process your personal data for the following purposes and on the following lawful bases:
| Purpose | Lawful Basis (UK GDPR Art. 6) | Details |
|---|---|---|
| Providing the Service | Performance of a contract (Art. 6(1)(b)) | Creating and managing your account, processing subscriptions, enabling matching between businesses and contractors, facilitating job postings and applications |
| Payment processing | Performance of a contract (Art. 6(1)(b)) | Processing subscription payments, managing billing, handling refunds, preventing payment fraud |
| Identity and business verification | Performance of a contract (Art. 6(1)(b)) | Verifying company registration via Companies House, reviewing uploaded compliance documents |
| Location-based matching | Performance of a contract (Art. 6(1)(b)) | Geocoding your business address to enable proximity-based contractor/business matching within your subscription tier's radius |
| Communications | Performance of a contract (Art. 6(1)(b)) | Sending transactional emails (welcome emails, job notifications, application updates, payment confirmations, subscription reminders, verification status updates) |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) | Detecting and preventing unauthorised access, monitoring for abuse of the Acceptable Use Policy, protecting the integrity of the Service |
| Service improvement | Legitimate interests (Art. 6(1)(f)) | Analysing usage patterns, identifying and fixing bugs, improving features and user experience |
| Legal compliance | Legal obligation (Art. 6(1)(c)) | Complying with tax, accounting and regulatory requirements (e.g. HMRC record-keeping), responding to lawful requests from authorities |
| Marketing communications | Consent (Art. 6(1)(a)) | Sending promotional emails, newsletters or product updates (only with your opt-in consent; you can withdraw at any time) |
| Customer support | Legitimate interests (Art. 6(1)(f)) | Responding to your enquiries and resolving issues |
5. Who We Share Your Data With
5.1 Other Users of the Platform
Certain information is shared with other users as part of the Service's core functionality:
- Contractor profiles (company name, location, trades, bio, rating, reviews, insurance status, accreditation status, emergency availability) are visible to Business Users within the contractor's subscription visibility range.
- Business profiles (business name, type, location, contact person, rating, reviews) are visible to Contractor Users.
- Job postings (title, description, location, budget, requirements) are visible to matched Contractor Users (for public jobs) or invited contractors (for private jobs).
- Messages exchanged between users are visible to both parties in the conversation.
Contact details (phone, email) are shared with the other party only after an application is accepted or an invitation is responded to.
5.2 Third-Party Service Providers (Sub-Processors)
We share personal data with the following third-party service providers who process data on our behalf and under our instructions:
| Provider | Purpose | Data Shared | Location | Transfer Mechanism |
|---|---|---|---|---|
| Auth0 (Okta, Inc.) | Authentication and identity management | Email, name, user ID, login metadata, roles | United States | UK-US Data Bridge (UK Extension to EU-US Data Privacy Framework) |
| Stripe, Inc. | Payment processing | Name, email, billing address, payment method details, transaction history | United States | UK-US Data Bridge |
| Google LLC (Maps/Places API) | Address autocomplete and geocoding | Address text, postcode | United States | UK-US Data Bridge |
| SendGrid (Twilio, Inc.) | Transactional email delivery | Email address, name, email content | United States | UK-US Data Bridge |
| Microsoft Azure | Cloud hosting, database, file storage, real-time messaging | All data processed by the Service | United Kingdom (UK South / UK West) | N/A (data remains in UK) |
| Companies House | Company verification | Company number, company name | United Kingdom | N/A (UK government service) |
5.3 Legal and Regulatory Disclosures
We may disclose your personal data where required by law, regulation, legal process or enforceable governmental request, including to:
- comply with a court order, subpoena or other legal obligation;
- cooperate with law enforcement or regulatory authorities (including HMRC, the ICO or trading standards);
- protect the rights, property or safety of Contraxus, our users or the public;
- enforce our Terms and Conditions.
5.4 Business Transfers
In the event of a merger, acquisition, reorganisation, sale of assets or insolvency, your personal data may be transferred as part of that transaction. We will notify you of any such transfer and any changes to the data controller.
5.5 No Sale of Personal Data
We do not sell your personal data to third parties. We do not share your personal data with third parties for their own marketing purposes.
6. International Data Transfers
6.1. Our primary hosting infrastructure is located in the United Kingdom (Microsoft Azure UK regions). However, some of our third-party service providers process data in the United States, as detailed in Section 5.2.
6.2. Where personal data is transferred outside the United Kingdom, we ensure that appropriate safeguards are in place, including:
- transfers to countries with an adequacy decision from the UK Secretary of State;
- the UK-US Data Bridge (UK Extension to the EU-US Data Privacy Framework) for certified US organisations;
- Standard Contractual Clauses (SCCs) approved by the ICO, where the Data Bridge does not apply;
- other appropriate safeguards recognised under UK GDPR Article 46.
6.3. You may request a copy of the relevant safeguards by contacting us at privacy@contraxus.com.
7. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (name, email, profile) | Duration of account + 90 days after closure | Service provision; reactivation window |
| Payment and billing records | 6 years after the transaction | HMRC tax and accounting requirements |
| Insurance and accreditation documents | Duration of account + 90 days after closure | Service provision; compliance records |
| Messages between users | Duration of account + 90 days after closure | Service provision |
| Job postings | Duration of account + 90 days after closure | Service provision |
| Reviews and ratings | Indefinitely (anonymised after account closure) | Platform integrity and trust |
| Authentication logs | 12 months | Security and fraud prevention |
| Support correspondence | 24 months after resolution | Quality assurance and dispute resolution |
| Marketing consent records | Duration of consent + 36 months | Proof of consent for regulatory compliance |
After the applicable retention period, personal data is either permanently deleted or irreversibly anonymised.
8. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
| Right | Description |
|---|---|
| Right of access (Art. 15) | Request a copy of the personal data we hold about you |
| Right to rectification (Art. 16) | Request correction of inaccurate or incomplete personal data |
| Right to erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations |
| Right to restrict processing (Art. 18) | Request that we limit the processing of your data in certain circumstances |
| Right to data portability (Art. 20) | Receive your personal data in a structured, commonly used, machine-readable format |
| Right to object (Art. 21) | Object to processing based on legitimate interests or for direct marketing |
| Right to withdraw consent | Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing |
| Rights relating to automated decision-making (Art. 22) | Not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects |
How to Exercise Your Rights
To exercise any of these rights, contact us at privacy@contraxus.com. We will respond within one month of receiving your request. This period may be extended by a further two months where requests are complex or numerous, in which case we will inform you within the first month.
We may ask you to verify your identity before acting on a request to protect the security of your data.
There is no fee for exercising your rights in most cases. However, we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.
Right to Complain
If you are not satisfied with how we handle your personal data or respond to your rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: https://ico.org.uk/make-a-complaint/
We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first.
9. Automated Decision-Making
9.1. The Service uses automated processing to match Contractor Users with Business Users based on trade, location, subscription tier visibility radius and insurance requirements. This matching is a core function of the Service and does not produce legal or similarly significant effects - it determines which profiles are displayed in search results, not whether a contractor is engaged for work.
9.2. Compliance scores displayed on contractor profiles are calculated automatically based on the completeness and verification status of uploaded documents. These scores are informational and do not result in any automated decisions with legal effect.
9.3. We do not use automated decision-making or profiling that produces legal or similarly significant effects on you without human involvement.
10. Data Security
10.1. We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, loss or destruction, including:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: Data stored in our databases and file storage is encrypted using AES-256 encryption provided by Microsoft Azure.
- Authentication: User authentication is managed by Auth0 with support for strong password requirements and optional multi-factor authentication (MFA).
- Access controls: Access to personal data within our organisation is restricted to personnel who require it for their role, on a need-to-know basis.
- Payment security: Payment card data is handled entirely by Stripe (a PCI DSS Level 1 certified processor). We never receive, process or store full card numbers.
- Infrastructure security: Our hosting infrastructure (Microsoft Azure UK) provides physical security, network isolation, DDoS protection and continuous monitoring.
- Document storage: Uploaded documents (insurance certificates, accreditations) are stored in Azure Blob Storage with access controls limiting visibility to authorised users and administrators.
10.2. While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
10.3. If you become aware of any security vulnerability or suspected breach, please report it immediately to security@contraxus.com.
11. Cookies & Similar Technologies
11.1 What Are Cookies
Cookies are small text files placed on your device when you visit a website. We use cookies and similar technologies (such as local storage) to provide, secure and improve the Service.
11.2 Types of Cookies We Use
| Cookie Type | Purpose | Lawful Basis | Duration |
|---|---|---|---|
| Strictly necessary | Authentication (Auth0 session), security tokens, cookie consent preferences | Exempt from consent (essential for the Service) | Session / up to 30 days |
| Functional | Theme preferences (light/dark mode), language settings, remembered form inputs | Legitimate interests | Up to 12 months |
| Performance / Analytics | Not currently used | Consent | N/A |
| Marketing | Not currently used | Consent | N/A |
11.3 Third-Party Cookies
The following third-party services may set cookies when you use the Service:
| Provider | Purpose | More Information |
|---|---|---|
| Auth0 | Authentication session management | https://auth0.com/privacy |
| Stripe | Payment processing and fraud prevention | https://stripe.com/privacy |
11.4 Managing Cookies
You can manage your cookie preferences at any time through our cookie settings.
You can also control cookies through your browser settings. Blocking essential cookies may prevent you from using the Service. For more information about cookies and how to manage them, visit https://www.allaboutcookies.org.
12. Children's Privacy
The Service is not directed at individuals under the age of 18 and we do not knowingly collect personal data from children. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly and close the associated Account.
If you believe that a child under 18 has provided us with personal data, please contact us immediately at privacy@contraxus.com.
13. Marketing Communications
13.1. We will only send you marketing communications (promotional emails, newsletters, product announcements) if you have given us your explicit opt-in consent.
13.2. You can withdraw your marketing consent at any time by:
- clicking the "unsubscribe" link in any marketing email;
- updating your notification preferences in your Account settings;
- contacting us at privacy@contraxus.com.
13.3. Withdrawing marketing consent does not affect transactional communications that are necessary for the operation of your Account (such as billing notifications, security alerts, and service updates).
13.4. We do not share your personal data with third parties for their own marketing purposes.
14. Third-Party Links
The Service may contain links to third-party websites or services that are not operated by Contraxus. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party websites you visit.
15. Data Processing Agreement (Business Customers)
15.1. Where a Business User or Group Admin inputs personal data of their employees, agents or other individuals into the Service (for example, contact person details), the Business User is the data controller for that data and Contraxus acts as the data processor.
15.2. Our processing of such data is governed by a Data Processing Agreement (DPA) which is available on request from privacy@contraxus.com. The DPA forms part of our Terms and Conditions for business customers.
15.3. The DPA sets out:
- the scope, nature and purpose of processing;
- the types of personal data and categories of data subjects;
- the obligations and rights of the data controller;
- our obligations as data processor, including with respect to sub-processors;
- data breach notification procedures;
- data deletion and return on termination;
- audit rights.
16. Data Breach Procedures
16.1. In the event of a personal data breach, we will:
- assess the breach to determine its nature, scope and likely impact;
- where the breach is likely to result in a risk to the rights and freedoms of individuals, notify the Information Commissioner's Office (ICO) without undue delay and within 72 hours of becoming aware of the breach;
- where the breach is likely to result in a high risk to the rights and freedoms of individuals, notify affected users without undue delay, providing:
- a description of the breach;
- the categories and approximate number of individuals affected;
- the likely consequences;
- the measures taken or proposed to address the breach;
- contact details for further information.
16.2. We maintain an internal breach register recording all personal data breaches, including those that do not meet the threshold for notification.
17. Changes to This Privacy Policy
17.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or for other operational reasons.
17.2. Where changes are material, we will notify you by email and/or by prominent notice within the Service at least 30 days before the changes take effect.
17.3. Your continued use of the Service after the updated Privacy Policy takes effect constitutes your acceptance of the changes. If you do not agree, you should stop using the Service and close your Account.
17.4. The "Last Updated" date at the top of this policy indicates when the current version was published. Previous versions are available on request.
18. Contact Us
If you have any questions, concerns or requests regarding this Privacy Policy or our handling of your personal data, please contact us:
Data Protection Enquiries
Email: privacy@contraxus.com
General Support
Email: support@contraxus.com
Postal Address
Contraxus Limited
Unit 5b Eleventh Avenue North, Team Valley, Gateshead, Tyne & Wear, NE11 0NJ
United Kingdom