Privacy Policy

This Privacy Policy explains how Plumbify ("we", "us", "our") collects, uses, and protects information about our customers (plumbing contractors who subscribe to our service) and their end users (the callers who interact with our service via SMS and phone).

Plumbify is operated by Joe Burns, a sole trader based at 4 Sissinghurst Drive, Thrapston, Northamptonshire NN14 4XQ, United Kingdom. You can contact us at joe@getplumbify.com.

1. Who this policy covers

Customers (plumbing contractors)

If you subscribe to Plumbify on behalf of your plumbing business, this policy describes how we handle your account information, billing data, and usage of our service.

End users (the people who call or text our customers' numbers)

If someone calls or texts a phone number managed by Plumbify, this policy describes how their data is handled. We process this data on behalf of our customer (the plumbing business that owns the number) — they are the data controller; we are a data processor.

2. What information we collect

From customers, when you sign up:

• Email address
• Password (encrypted; we never see the plaintext)
• Business name
• Owner mobile phone number

From customers, on payment:

• Billing name and address
• Card details — processed and stored by Stripe, not by us. We only see the last 4 digits and card brand.

From end users (callers/texters):

• Phone number (caller ID, when not withheld)
• Inbound SMS message content (when they reply to our customer's number)
• Call metadata (time, duration, whether answered)

Usage data:

• Login times and IP addresses
• Dashboard activity (which pages you visit, which settings you change)
• Errors and performance data

3. How we use this information

• To deliver the service: route calls, send text-backs, log events to your dashboard
• To bill you: via Stripe, on the schedule you signed up for
• To support you: respond to questions and fix issues
• To improve the product: aggregate analytics — never tied to individual end users
• To comply with the law when legally required

We do not sell your data, share it with advertisers, or use it to train AI models for third parties.

4. Who we share data with (sub-processors)

Plumbify uses the following trusted third-party services to deliver our product. Each has their own privacy policy:

• Stripe — payment processing (stripe.com/privacy)
• Supabase — database and authentication (supabase.com/privacy)
• Twilio — phone numbers, SMS, and voice routing (twilio.com/legal/privacy)
• n8n.cloud — workflow automation backend (n8n.io/legal/privacy)
• Lovable — dashboard hosting (lovable.dev/privacy)
• Netlify — marketing site hosting (netlify.com/privacy)
• Cal.com — demo booking (cal.com/privacy)

5. International data transfers

Plumbify is based in the United Kingdom, our customers are typically based in the United States, and several of our sub-processors are based in the US. Personal data flows between the UK, the EU, and the US as a normal part of operating this service. Where required, transfers rely on Standard Contractual Clauses and other lawful safeguards under UK GDPR.

6. Data retention

• Account data: retained while your subscription is active and for 6 years after cancellation for legal/tax compliance
• Event logs (calls, replies): retained while your subscription is active. On request after cancellation, we'll delete or export them.
• Payment records: held by Stripe per their retention policy — we don't separately store this data

7. Your rights

Under UK GDPR and equivalent laws, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion (subject to legal retention requirements above)
• Object to or restrict processing
• Request a copy of your data in a portable format
• Lodge a complaint with the Information Commissioner's Office (ICO) in the UK

To exercise any of these rights, email joe@getplumbify.com. We'll respond within 30 days.

8. Security

We protect your data with industry-standard measures:

• All connections to our service use HTTPS/TLS encryption
• Passwords are hashed; we never see your plaintext password
• Database access is restricted by Row Level Security — each customer can only see their own data
• Sub-processors (Stripe, Supabase, Twilio, etc.) maintain SOC 2 and equivalent certifications

No system is 100% secure. If a data breach affects you, we'll notify you and the ICO within 72 hours where required by law.

9. Cookies

Our marketing site (getplumbify.com) uses minimal cookies — only what's needed to load the page and remember your preferences. We don't use third-party analytics that profile you. Our dashboard application uses authentication cookies to keep you logged in.

10. Changes to this policy

We may update this policy from time to time. If we make material changes, we'll notify customers via email at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

11. Contact

Questions, requests, or complaints about privacy can be sent to:

• Email: joe@getplumbify.com
• Post: Joe Burns, 4 Sissinghurst Drive, Thrapston, Northamptonshire NN14 4XQ, United Kingdom