Sign in

Legal

Privacy policy

Last updated: 12 June 2026

1. Who we are

BrushDesk is a job-management platform for painting and decorating businesses, operated by Pending confirmation: [BrushDesk Ltd, company number TBC], registered in England and Wales at Pending confirmation: [registered office address TBC]. We are registered with the Information Commissioner's Office under registration number Pending confirmation: [ICO registration TBC].

For data protection purposes, this policy uses “we” and “us” to mean BrushDesk, and “your firm” to mean the business that holds a BrushDesk account.

2. Controller and processor — two roles

We act in two distinct capacities under UK data protection law (UK GDPR and the Data Protection Act 2018):

  • Controller — for the data we hold about you as our customer: account details, billing records, support correspondence and usage of the service.
  • Processor — for the business data your firm enters into BrushDesk about its own customers, jobs, quotes and invoices. Your firm is the controller of that data; we process it only on your firm's instructions to provide the service. A data processing agreement (DPA) covering this is available on request — contact us at Pending confirmation: [privacy contact mailbox TBC].

3. Data we collect

  • Account data — name, email address, role within your firm, and password (stored as a secure hash, never in plain text).
  • Organisation data — your firm's name, contact details, VAT and CIS settings, and branding.
  • Business data your firm enters — customer contacts, job details, estimates, quotes, invoices, payments, timesheets and site photos. Your firm controls this data.
  • Billing data — subscription plan, seat counts and payment history. Card details are collected and held by Stripe; we never see or store full card numbers.
  • Technical data — IP address, browser type, and server logs used for security and to diagnose faults.
  • Early-access list — if you join the waiting list on our website, your email address and any optional campaign tags (UTM parameters) in the link you followed. This is stored with Supabase alongside our other data and is never sold.

4. How we use data, and our lawful bases

  • Providing the service (contract) — operating your workspace, sending the emails you trigger (quotes, invoices, receipts, reminders), and processing payments.
  • Billing and account management (contract, legal obligation) — subscription charges, VAT invoicing and accounting records.
  • Service communications (contract, legitimate interests) — transactional emails such as email verification, trial notices and billing alerts. These are not marketing.
  • Security and fraud prevention (legitimate interests, legal obligation) — access logs, abuse detection and incident response.
  • Improving the service (legitimate interests) — aggregate, de-identified usage analysis.
  • Early-access invites and product updates (consent) — emailing the waiting list about your invite and BrushDesk news. You can be removed at any time by replying to any of our emails or contacting the address in the footer of this site.

We do not sell personal data, and we do not use your firm's business data for advertising.

5. Sub-processors

We use a small number of service providers to run BrushDesk. Each is bound by a data processing agreement:

  • Supabase — database, authentication and file storage (hosted in the EU, eu-west region).
  • Stripe — subscription billing, and card payments taken by your firm through its own Stripe account.
  • Resend — transactional email delivery.
  • Vercel — application hosting and content delivery.

We will update this list before adding or replacing a sub-processor that handles personal data.

6. International transfers

Your firm's data is stored in the EU. Where a sub-processor processes limited data outside the UK or EEA (for example, US-based infrastructure of Stripe, Resend or Vercel), the transfer is safeguarded by the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision where one applies.

7. Retention

  • Account and business data — kept while your firm's account is active. After cancellation, your firm can export its data; we delete it 30 days after account closure unless the law requires longer retention.
  • Financial records — invoices and billing records are kept for 6 years after the end of the relevant financial year, as required by UK tax law.
  • Server logs — kept for a short rolling window for security purposes.

8. Your rights

Under UK GDPR you have the right to access, correct, delete, restrict or object to the processing of your personal data, the right to data portability, and the right to withdraw consent where processing is based on consent. To exercise any of these, contact Pending confirmation: [privacy contact mailbox TBC].

If your data is in BrushDesk because a decorating firm you deal with uses our software (for example, you received a quote or invoice through it), the firm is the controller — please contact them directly. We will assist them in responding.

You also have the right to complain to the Information Commissioner's Office (ico.org.uk).

9. Cookies

BrushDesk uses only essential cookies: authentication session cookies that keep you signed in, and a short-lived verification cookie on the customer portal. We set no advertising or cross-site tracking cookies, so no cookie consent banner is required.

10. Security

All data is encrypted in transit (TLS) and at rest. Every organisation's data is isolated at the database layer with row-level security, enforced and tested on every release. Access to production systems is restricted and logged. If a personal data breach occurs, we will notify affected firms and the ICO where required by law.

11. Changes and contact

We will post any changes to this policy here and update the date at the top. For material changes we will email account owners. Questions about this policy: Pending confirmation: [privacy contact mailbox TBC].