Privacy Policy

Last updated: 12 March 2026

1. Who We Are

Gaffer ("we", "us", "our") operates the Gaffer platform, an AI-powered WhatsApp business assistant for tradespeople. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Service.

For the purposes of UK GDPR, Gaffer acts as a data processor on behalf of our business customers (the tradespeople), who are the data controllers of their end-customer data. For data relating to our business customers directly (account holders), we act as the data controller.

Contact: [email protected]

2. What Data We Collect

a) Account Holder Data (Tradespeople)

When you sign up and use Gaffer, we collect:

Full name, email address, phone number
Business name, trade type, business address
Working hours, hourly rates, service area
Payment information (processed by Stripe; we do not store card details)
Usage data: login times, features used, messages sent/received

b) End-Customer Data (Your Customers)

When your customers communicate via your Gaffer number, we collect:

Name, phone number, email address (as provided by you or your customer)
Message content (WhatsApp messages, SMS)
Job details, quotes, invoices, and appointment information
Address and location data (when relevant to jobs)
Call recordings and transcripts (Pro tier only, if voice features are enabled)

c) Automatically Collected Data

IP address, browser type, device information when accessing the dashboard
Cookies for session management and authentication (see Section 8)

3. How We Use Your Data

Purpose	Legal Basis (UK GDPR)
Providing the Service (messaging, scheduling, invoicing)	Performance of contract
Processing payments and managing subscriptions	Performance of contract
AI processing of messages to generate responses	Performance of contract
Sending service-related notifications	Legitimate interest
Improving the Service and fixing bugs	Legitimate interest
Preventing fraud and ensuring security	Legitimate interest
Compliance with legal obligations	Legal obligation

4. Third-Party Services

We share data with the following third-party services, solely to operate the platform:

Provider	Purpose	Data Shared
Twilio	WhatsApp and SMS messaging, phone numbers	Phone numbers, message content
Anthropic (Claude)	AI conversation processing	Message content, business context
Stripe	Payment processing	Email, name, payment details
Mailgun	Transactional email	Email addresses, email content
Google Maps	Travel time and directions	Addresses, postcodes

Each provider operates under their own privacy policy and data processing agreements. We do not sell, rent, or trade personal data to third parties for marketing purposes.

5. AI Processing

Messages sent to and from your Gaffer number are processed by an AI system (powered by Anthropic Claude) to generate appropriate responses.
AI processing occurs in real time and is necessary to deliver the core Service.
Message content is sent to Anthropic for processing. Anthropic does not use this data to train their models (per their commercial data processing terms).
We do not use your messages or customer data to train any AI models.

6. Data Storage and Security

Data is stored on secure servers within the UK/EEA.
All data in transit is encrypted using TLS 1.2+.
Database access is restricted and protected by authentication.
We conduct regular security reviews to identify and address vulnerabilities.
Payment data is handled entirely by Stripe (PCI DSS compliant). We never store card numbers.

7. Data Retention

Data Type	Retention Period
Account data	Duration of account + 30 days after deletion
Message content	Duration of account + 30 days after deletion
Customer data	Until deleted by account holder, or 30 days after account deletion
Invoices and financial records	6 years (legal requirement)
Server logs	90 days

8. Cookies

We use strictly necessary cookies only:

Session cookie — maintains your logged-in state. Expires when you close your browser or after inactivity.
Remember-me cookie — keeps you signed in across sessions (optional, set when you choose to stay signed in). Expires after 30 days.

We do not use tracking cookies, advertising cookies, or analytics cookies.

9. Your Rights (UK GDPR)

As an account holder, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — correct inaccurate data via the dashboard settings
Erasure — delete your account and all associated data
Data portability — export your data in a machine-readable format (CSV)
Restriction — request we limit processing of your data
Objection — object to processing based on legitimate interest

To exercise any of these rights, contact [email protected]. We will respond within 30 days.

Your Customers' Rights

As the data controller for your end-customers, you are responsible for handling their data subject requests. Gaffer provides tools in the dashboard (customer deletion, data export) to help you comply. If an end-customer contacts us directly, we will direct them to you.

10. International Transfers

Some of our third-party providers (Anthropic, Stripe, Twilio) process data in the United States. These transfers are protected by:

The EU-US Data Privacy Framework (where applicable)
Standard Contractual Clauses (SCCs)
Provider-specific data processing agreements

11. Children

The Service is not intended for use by anyone under 18. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 14 days before taking effect. The "last updated" date at the top will always reflect the current version.

13. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

ico.org.uk/make-a-complaint

14. Contact

For any questions about this Privacy Policy or your data, contact us at [email protected].