Privacy Policy.

1. Who we are

SteelEstim8 — marketing site at steelestim8.co.uk, application at steelestim8.com — is the data controller for personal data described in this policy. You can contact us at info@steelestim8.com.

To complete before launch: registered company name & number, registered address, and ICO registration number.

2. The short version

• We collect what we need to run the service for you (your account, your billing, your usage), and nothing else.
• We don't sell your data, share it with advertisers, or "anonymise and aggregate" your estimates for resale.
• We use two processors: Stripe (payments) and Cloudflare (hosting + email PIN auth). That's it.
• You can ask for a copy of your data, or its deletion, any time. UK GDPR rights apply in full.

3. What data we collect

Account data:

• Your email address (for sign-in and notifications)
• Company name, registered address, VAT number (added by you in your firm settings)
• Login session tokens, last-seen timestamp

Customer Data (the work you put in):

• Rate library entries (steel sections, cladding rates, etc.)
• Estimates and quotes you build
• Generated quote PDFs and GA drawings
• Pipeline metadata (status, value, win/loss)

Billing data (held by Stripe, not us):

• Card details (saved by Stripe for recurring monthly charges on Monthly plan, or for the one-off charge on Annual plan)
• Apple Pay / Google Pay tokens, or bank-transfer reference (Annual plan, if used instead of card)
• Billing email and address
• Payment history

We never see or store your raw card details. Stripe handles them on PCI-compliant infrastructure under UK GDPR.

Technical data:

• IP address (logged briefly for security & rate limiting)
• Browser type and version (server logs, kept short-term)
• Error reports if the app crashes (anonymised stack traces)

We do not use third-party analytics or tracking pixels on steelestim8.com (the application). The marketing site (steelestim8.co.uk) may use Cloudflare Web Analytics — a privacy-respecting, cookie-less analytics product that does not track individual users.

4. Why we collect it (lawful basis)

• Contract (Article 6(1)(b) UK GDPR): account data, Customer Data, and billing data — necessary to provide the subscription service you've contracted for.
• Legitimate interests (Article 6(1)(f) UK GDPR): IP/server logs and error reports — necessary to keep the service secure and reliable. The interest is balanced against your privacy and is minimal.
• Legal obligation (Article 6(1)(c) UK GDPR): retention of invoice records for HMRC purposes (typically 6 years).

5. Who we share it with

We use the following processors. Each is contractually bound to process data only on our instructions and to UK GDPR standards.

• Stripe Payments UK Ltd — payment processing (Monthly plan: card stored at sign-up via Stripe Checkout, then charged automatically each month; Annual plan: one-off upfront card / wallet / bank transfer via Stripe Checkout). Stripe holds your card details, not us.
• Cloudflare, Inc. — hosting (Workers, Pages, KV storage), Cloudflare Access (email-PIN sign-in), and DNS. Customer Data is stored in Cloudflare KV, primarily on UK/EU edges.

We do not share your data with anyone else. We do not sell it. We do not "enrich" it with third-party data.

6. International transfers

Cloudflare and Stripe are US-headquartered companies. Where any personal data is transferred outside the UK, the transfer relies on the UK Information Commissioner's Office-approved transfer mechanisms (UK Addendum to the EU SCCs, or an adequacy decision where one applies). In practice, our customer data sits in Cloudflare's UK/EU infrastructure for the SteelEstim8 service.

7. How long we keep it

• Active account data: for as long as your subscription is active.
• Customer Data after termination: retained for 30 days post-termination so you can export it; permanently deleted from active systems within 90 days. Backups expire on their normal cycle (within 12 months).
• Invoice/billing records: kept for 6 years to meet HMRC requirements.
• Server logs: typically 30 days.
• Support emails: kept while the conversation is live, archived for 12 months, then deleted.

8. Cookies

The marketing site (steelestim8.co.uk) does not use tracking cookies. If we add Cloudflare Web Analytics, that product is cookie-less and does not require a cookie banner under UK regulations.

The app (steelestim8.com) uses strictly necessary cookies for authentication via Cloudflare Access. These do not require consent under UK PECR rules.

9. Your rights under UK GDPR

You have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erase your data ("right to be forgotten"), subject to legal retention requirements
• Restrict our processing in certain circumstances
• Data portability — receive your data in a structured, machine-readable format
• Object to processing based on legitimate interests
• Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these rights, email info@steelestim8.com. We will respond within one calendar month, as required by UK GDPR.

10. Security

We protect your data with:

• Cloudflare Access (email-PIN sign-in for the app) — no password reuse risk
• HTTPS/TLS encryption in transit
• Cloudflare KV encryption at rest
• No passwords stored anywhere — identity is verified by per-session email PIN
• Stripe handles all payment data on PCI-DSS compliant infrastructure

If we ever experience a personal-data breach that affects you, we will notify the ICO and you within the timeframes required by UK GDPR.

11. Changes to this policy

We may update this policy. Material changes will be notified by email to your registered address with at least 14 days' notice before taking effect.

12. Contact

Questions or to exercise a UK GDPR right: info@steelestim8.com.