Privacy Policy

Last updated: 10 September 2025

1. Who we are

Measurely provides a Software-as-a-Service (SaaS) web application for contractors including jetwashers, driveway layers, installers, and other trade professionals. Our platform enables you to measure areas and lengths, create professional quotes and invoices, manage customers, and process payments. Members of the public may view and pay invoices generated by our users.

Data Controller: Measurely is the data controller for personal data processed through our platform, except where noted otherwise (such as payment processing).

2. Data we collect

2.1 Information you provide directly

• Account information: Name, email address, phone number, business name, address, and profile details
• Customer data: Customer names, contact details, addresses, and project information you input
• Project data: Measurements, drawings, notes, photos, quotes, invoices, and appointment details
• Communication data: Messages sent through our support system or feedback forms
• Financial data: Billing addresses, invoice amounts, payment references (we do not store full payment card details)

2.2 Information we collect automatically

• Usage data: How you interact with our platform, features used, time spent, and click patterns
• Technical data: IP address, browser type and version, device type, operating system, screen resolution
• Log data: Access times, pages viewed, errors encountered, and performance metrics
• Location data: Approximate location based on IP address (not precise GPS location)

2.3 Information from third parties

• Authentication services: Profile information if you sign up using Google or other OAuth providers
• Payment providers: Payment status, transaction references, and billing information from Stripe
• Calendar integration: Appointment data when you connect Google Calendar

3. How we use your data

3.1 Core service provision

• Create and manage your account, authenticate access, and maintain user profiles
• Enable measurement, quoting, and invoicing functionality
• Process and track appointments when calendar integration is used
• Generate and deliver quotes and invoices to your customers
• Manage customer data and project information on your behalf

3.2 Payment processing and financial management

• Process subscription payments and handle billing
• Enable invoice payments from your customers
• Prevent fraud and ensure payment security
• Maintain financial records for tax and accounting purposes

3.3 Platform improvement and support

• Analyze usage patterns to improve our service and develop new features
• Provide customer support and respond to inquiries
• Send service-related communications and important updates
• Monitor system performance and troubleshoot technical issues
• Ensure platform security and prevent abuse

4. Data storage and hosting

Primary hosting: We use Supabase, a reputable cloud database provider, to store your data. Supabase operates on secure infrastructure with enterprise-grade security measures.

Data location: Your data is primarily stored on servers located in the United States, with automatic backups maintained for reliability and disaster recovery.

Access controls: We implement Row Level Security (RLS) policies to ensure users can only access their own data or data explicitly shared with them. This provides database-level isolation between different users and companies.

5. Third-party services and integrations

5.1 Payment processing

Stripe: All payment processing is handled by Stripe, a PCI DSS compliant payment processor. We do not store full credit card details on our servers. Stripe acts as both a data processor and independent data controller for payment data.

5.2 Authentication and calendar integration

Google Services: If you choose to sign in with Google or connect Google Calendar, we receive limited profile information and calendar data as authorized by you. Google's privacy policy applies to data processed by Google.

5.3 Other service providers

• Hosting and infrastructure: Cloud hosting providers for reliable service delivery
• Email services: Transactional email providers for sending system notifications
• Analytics: Privacy-focused analytics tools to understand service usage (where consented)
• Support tools: Customer support platforms to provide assistance

All third-party service providers are carefully selected and bound by appropriate data processing agreements to ensure your data is protected to the same standards we apply.

6. Legal bases for processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal bases:

• Contract (Article 6(1)(b)): Processing necessary to provide the services you've signed up for, including account management, quote generation, invoicing, and payment processing
• Legitimate interests (Article 6(1)(f)): To operate, secure, improve, and develop our service, prevent fraud, provide customer support, and analyze usage patterns for service optimization
• Consent (Article 6(1)(a)): For optional features like marketing communications, certain analytics, or when required by law. You can withdraw consent at any time
• Legal obligation (Article 6(1)(c)): To comply with tax, accounting, financial regulations, and other legal requirements

7. Data sharing and disclosure

7.1 Service providers

We share data only with carefully selected service providers who help us deliver our service, including:

• Cloud hosting and database providers (Supabase)
• Payment processors (Stripe)
• Email delivery services
• Customer support platforms
• Analytics providers (where consented)

All service providers are bound by strict data processing agreements and are required to implement appropriate security measures.

7.2 What we never do

• We never sell your personal data to third parties
• We never share your data for advertising or marketing purposes by third parties
• We never provide access to your data to unauthorized parties

7.3 Legal requirements

We may disclose your data if required by law, court order, or to protect our rights, safety, or the safety of others. We will notify you of such disclosures unless prohibited by law.

8. Data retention

8.1 Active accounts

We retain your personal data for as long as your account remains active and you continue to use our services.

8.2 Account deletion

When you delete your account or request data deletion, we will:

• Immediately remove access to your data from our active systems
• Permanently delete your data within 30 days, except where retention is required by law
• Anonymize any data in backups, which may take up to 12 months to cycle through

8.3 Legal and business requirements

We may retain certain data longer when required for:

• Legal obligations (e.g., tax records for 7 years)
• Resolving disputes or enforcing agreements
• Preventing fraud and ensuring security
• Complying with regulatory requirements

9. Security measures

9.1 Technical safeguards

• Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption
• Access controls: Row Level Security (RLS) ensures users can only access their authorized data
• Authentication: Secure authentication with password hashing and optional two-factor authentication
• Network security: Firewalls, intrusion detection, and regular security monitoring

9.2 Organizational safeguards

• Regular security audits and vulnerability assessments
• Employee training on data protection and security best practices
• Incident response procedures for potential security breaches
• Limited access to personal data on a need-to-know basis

9.3 Important notice

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we strive to protect your information using industry best practices.

10. Your privacy rights

Under applicable privacy laws (including GDPR, CCPA), you have the following rights regarding your personal data:

10.1 Access and transparency

• Right to access: Request a copy of your personal data we hold
• Right to information: Understand how your data is processed (covered in this policy)

10.2 Control and correction

• Right to rectification: Correct inaccurate or incomplete personal data
• Right to deletion ("right to be forgotten"): Request deletion of your personal data
• Right to data portability: Export your data in a structured, machine-readable format

10.3 Processing controls

• Right to object: Object to processing based on legitimate interests or for marketing
• Right to restrict processing: Limit how we process your data in certain circumstances
• Right to withdraw consent: Withdraw consent for processing based on consent

10.4 Exercising your rights

To exercise these rights, contact us using the information in section 13. We'll respond within 30 days (1 month under GDPR). Some rights may be limited by legal requirements or legitimate business interests.

11. International data transfers

Your data may be processed and stored outside your country of residence, including in the United States where our primary hosting infrastructure is located. We ensure appropriate safeguards are in place for international transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Privacy Shield framework (where applicable)
• Other legally recognized transfer mechanisms

12. Cookies and tracking

We use cookies and similar technologies to provide and improve our service. These include:

• Essential cookies: Required for authentication, security, and core functionality
• Preference cookies: Remember your settings and preferences
• Analytics cookies: Help us understand usage patterns (with your consent)

For detailed information about our cookie usage, see our Cookie Policy.

13. Changes to this policy

We may update this privacy policy to reflect changes in our practices, technology, legal requirements, or other factors. When we make significant changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify active users via email or in-app notification
• For material changes, provide 30 days' notice before the changes take effect

We encourage you to review this policy periodically to stay informed about how we protect your privacy.

14. Contact us

14.1 Privacy inquiries

For questions about this privacy policy, data protection concerns, or to exercise your privacy rights, please contact us:

• Email: privacy@measurely.co.uk
• Support portal: Available through your account dashboard
• Response time: We aim to respond to all privacy inquiries within 72 hours

14.2 Complaints and regulatory authorities

If you're not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with your local data protection authority:

• UK residents: Information Commissioner's Office (ICO) - ico.org.uk
• EU residents: Your national data protection authority
• Other jurisdictions: Your local privacy regulator