Privacy · UK GDPR · ICO registered

Privacy Policy

This is the OptitechAutomation privacy policy. It explains what data we collect, how we use it, where we store it, and what rights you have under UK GDPR. Plain English. Written by Cristian in Torbay, Devon. Draft pending solicitor review — final v1.0 will be published before any real customer signs up.

Draft notice. This privacy policy is a live policy as of May 2026. It is being reviewed by a UK solicitor specialising in data-protection law. The final v1.0 will be published before any paying customer signs up, and Founders' Cohort customers will receive the final text by email prior to platform go-live. The substance below is unlikely to change materially — UK GDPR sets the framework — but specific wording and clauses may be refined.

Data we collect

What we collect.

Account data

When you create an OptitechAutomation account: business name, owner name, email, phone, billing address, VAT number, trade category. Required to operate the platform.

Job data

Customer-of-customer data your business inputs: customer name, address, phone, email, job notes, photos, certificates, invoices. You are the data controller for this data; we are the data processor.

Customer data (end-customer bookings)

When an end-customer books on your booking page: name, contact details, postcode, job description, deposit payment info (via Stripe — full card details never touch our servers). Used to fulfil the booking and pass to your business.

Payment data

Subscription billing through Stripe. We store: Stripe customer ID, last 4 of card, expiry, billing address. We do NOT store full PAN, CVC, or card number. PCI-DSS compliance is via Stripe's SAQ-A scope.

Cookies & usage

Session cookies for login. Strictly necessary cookies only by default — no third-party advertising trackers, no Google Analytics by default. Optional analytics cookie (anonymous, no PII) can be enabled with your consent.

How we use it

Lawful bases under UK GDPR.

We process personal data on these lawful bases:

Contract (Art. 6(1)(b))

For everything required to deliver the OptitechAutomation service to you: booking management, dispatch, invoicing, support.

Legitimate interests (Art. 6(1)(f))

Security monitoring, fraud prevention, anonymous usage analytics, operator supervision of the platform (Cristian reviewing dashboards). Balanced against your rights — we don't profile or sell.

Consent (Art. 6(1)(a))

For optional analytics cookies, marketing email beyond service emails, and any other use that isn't strictly necessary. Always opt-in.

Legal obligation (Art. 6(1)(c))

Tax records (HMRC), Companies House, anti-money-laundering verification, lawful court orders.

Your rights

UK GDPR data rights.

Under UK GDPR you have the following rights as a data subject:

  • Access — receive a copy of all personal data we hold about you. Free, within 30 days.
  • Rectification — correct inaccurate data.
  • Erasure ("right to be forgotten") — delete data where lawful (some financial records must be retained for HMRC).
  • Restriction — limit our processing while a dispute is resolved.
  • Portability — receive your data in a structured machine-readable format. CSV/JSON.
  • Object — to processing based on legitimate interests.
  • Withdraw consent — for any consent-based processing.
  • Complain — to the UK Information Commissioner's Office (ICO).

To exercise any of these, email hello@optitechautomation.co.uk with "Data request: [your name]" in the subject. Cristian handles all data requests personally.

Sub-processors

The handful of processors we use.

OptitechAutomation uses the following sub-processors. All are GDPR-compliant. All process data in the UK or EU.

Processor Purpose Location
SupabaseDatabase + authLondon (AWS eu-west-2)
StripePayments + billingUK / EU
GoCardlessDirect Debit (optional)UK
VercelStatic hosting (marketing)London edge
TwilioSMS notificationsUK routing
Xero / QuickBooksAccounting syncUK / EU
Retention

How long we keep things.

Active customers: data retained for the duration of the subscription.

Cancelled customers: data export available for 90 days after cancellation, then deleted unless retention is legally required (HMRC records 6 years).

Backups: 30-day rolling snapshot.

Marketing email list: opt-in with one-click unsubscribe; we delete unsubscribed records within 30 days.

Data Protection Officer / contact

Who to talk to.

OptitechAutomation does not currently require a formal DPO under UK GDPR (we don't meet the threshold). All data-protection queries are handled by Cristian directly.

Cristian (Data Protection Lead)
OptitechAutomation (Cristian Moise, Sole Trader)
Torquay TQ2, Devon
hello@optitechautomation.co.uk

For unresolved data-protection complaints: UK Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF, ico.org.uk.

Last updated: 24 May 2026. See also: terms of service, our pledge, contact.