WebNoms

Legal

Privacy policy

Last updated: 28 May 2026

About this policy

This policy explains what personal data WebNoms collects, why we collect it, how we use it, who we share it with, and what your rights are. WebNoms is a trading name. Operator details and the contact address for data questions are in the contact section at the bottom.

The two roles we play

WebNoms processes two distinct sets of personal data, with two different roles under UK GDPR.

Controller of tradesman account data. When you sign up as a tradesman, we are the controller for your account data (name, business name, billing details, dashboard activity logs). We decide what we collect and why.

Processor of your customers’ data.When your customers submit enquiries through your site, leave testimonials, or pay invoices via the platform, we process that data on your behalf. You are the controller. We act as a processor under contract and only use that data to run the service for you. Your customers’ rights questions usually need to go to you in the first instance.

What we collect

Account data. Your name, business name, email address, phone number, postcode and trade. You give us this when you sign up or update your dashboard. Multi-user team accounts each have their own profile.

Payment data. Billing name, address and a token for your card or PayPal account. Card numbers themselves are processed and stored by Stripe or PayPal, not by us. We retain transaction IDs and amounts for billing audit.

Site content. Anything you put on your WebNoms site: photos, services, prices, opening hours, testimonials, FAQs, logos and branding.

Customer enquiries. When one of your customers fills in your quote form, we receive their name, contact details, postcode and message and forward it to you. We keep a copy in your dashboard so you can see your history.

Customer records.Customer details you save manually, equipment you’ve fitted at their address, certificates you’ve issued, jobs you’ve scheduled, invoices you’ve sent. You add this data; we store it on your behalf.

AI feature inputs and outputs. When you use AI features (auto replies, quote drafts, document drafting, chat support bot, voice receptionist transcripts, voice memo to quote, logo generation, social posts), the relevant inputs are sent to our AI provider for processing. We retain a copy of the output, plus token-count usage data for cost accounting.

SMS and email sending records. When the platform sends SMS or emails on your behalf (lead alerts, customer reminders, review requests, chase emails), we log destination phone or email, segment count or message body ID, delivery status, and cost. Used for cap enforcement, billing, and abuse detection.

Calendar sync data.If you connect Google, Outlook or Apple Calendar, we store an OAuth refresh token (or, for Apple CalDAV, an app-specific password) so we can read and write events. Tokens are encrypted at rest. We only read events we’ve created and only write events you ask us to create.

Chat support transcripts.When you use the in-dashboard chat support, your messages and the bot’s replies are stored against your account so you can pick up where you left off. Escalations create a support ticket that retains the transcript for our records.

Technical data. Your IP address, browser type, basic usage logs and analytics pageviews. We use these to keep the service running, spot abuse, and understand how the marketing site is performing. The marketing-site analytics provider (Vercel Analytics) is cookieless and uses an anonymised daily-rotating hash rather than a persistent identifier.

Pre-signup prospect data.Before some tradesmen sign up, we may have already built a preview website for them using publicly-available business information (business name, trade, area, public reviews, photos visible on public-facing directories and your own website). We collect this to demonstrate the service. If you don’t want a preview built for your business, contact us and we’ll remove it.

Why we use it

We use your data to provide the service (run your site, route enquiries, draft AI outputs, take payment, respond to support), to comply with our legal obligations (tax, fraud prevention, lawful messaging), and to send service-related emails (billing receipts, security alerts, account notices).

We will only send marketing emails if you’ve opted in, and you can unsubscribe at any time. We don’t profile users for advertising and we don’t sell data.

Lawful basis

We rely on contractfor delivering the service you’ve signed up for and most of the things you do inside it, legal obligation for tax, billing audit and fraud-prevention records, and legitimate interestsfor fraud detection, service improvement, abuse pattern analysis, and security logging. For pre-signup prospect data we rely on legitimate interests (demonstrating the service to a business audience using already-public information), balanced against the data subject’s reasonable expectations.

AI features and your data

Some parts of the service use an AI provider (Anthropic) to draft replies, quotes, documents, social posts, chat responses, voice transcripts and logos. When you use an AI feature, the relevant inputs (your prompt or the source content) are sent to Anthropic for processing under our enterprise terms with them. Anthropic does not train their models on the content we send. A small portion of usage data may be used by Anthropic for safety and reliability monitoring, in line with their published policies.

AI outputs are drafts only. You are responsible for reviewing them before any is sent to a customer or filed as a compliance document. See the Terms of service section 11 for the full position.

Who we share data with

We work with a small number of trusted suppliers who help us run WebNoms. Each is bound by appropriate data processing terms. We don’t sell your data, and we don’t share it with advertisers.

  • Stripe, payment processing, Stripe Connect for your customer payments, billing portal.
  • PayPal, alternative payment processing if you signed up with PayPal or your customers paid you with PayPal.
  • Vercel, application hosting and cookieless web analytics.
  • Cloudflare, image and file storage (R2), DNS and SSL for custom domains; Cloudflare Registrar for domain registration.
  • Anthropic, AI model provider for the drafting features described above.
  • Telnyx, SMS gateway for lead notifications, customer reminders, and the voice receptionist channel.
  • Resend, sending transactional and notification emails.
  • Google, Microsoft, Apple, only if you connect their calendar sync; we only access the events you create through the platform.
  • HMRC, only when you submit a VAT return through our Making Tax Digital interface, and only the figures you confirm before submission.

Where your data lives, international transfers

We host primarily in the UK and EU. Some of our suppliers (including Stripe, Vercel, Anthropic, Cloudflare and Resend) may process data in the United States or other jurisdictions. Where personal data leaves the UK, we rely on the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses with the UK Addendum, as appropriate. Adequate decisions are also relied on where applicable.

How long we keep it

Account data is kept while your account is active and for 30 days after cancellation to allow reactivation. After 30 days the account is permanently deleted, including site content, uploaded media, customer records, scheduled tasks, chat support transcripts and any remaining credit balance.

Billing records (invoices, receipts, VAT records) are kept for at least 6 years from the end of the financial year, to meet HMRC requirements.

Technical logs and analytics pageviews are kept for up to 90 days. SMS and email sending logs are kept for up to 12 months for abuse detection and cost audit. Pre-signup prospect data is kept until either the prospect signs up (at which point it becomes their account data) or 12 months after the last update, whichever is shorter.

Security

We use HTTPS in transit, encrypted storage at rest, role-based access control on the admin interface, and two-factor authentication on staff accounts. Calendar sync tokens, HMRC OAuth tokens and other particularly sensitive credentials are encrypted with a separate at-rest key. If we become aware of a personal data breach affecting your account, we’ll notify you and (where required) the ICO within 72 hours, per UK GDPR Articles 33 and 34.

Your rights

Under UK GDPR you have rights to: access your data, correct it, delete it, restrict or object to its use, and data portability. To exercise any of these, email privacy@webnoms.com and we’ll respond within one month.

If you’re unhappy with how we’ve handled your data you can complain to the Information Commissioner’s Office (ICO): ico.org.uk.

Cookies

We use a small number of essential cookies and a localStorage entry for your cookie-consent choice. No tracking or advertising cookies are used. Our web analytics provider is cookieless. See our Cookie Policy for the full list.

Changes to this policy

We may update this policy from time to time. If a change materially affects you, we’ll let you know by email.

Contact

Questions or requests about your data? Email privacy@webnoms.com.