Privacy Policy

This Privacy Policy explains how JobStacker (“we”, “us”, “our”) collects, uses, stores, and protects personal data in connection with the JobStacker platform (“Service”). It also sets out the rights you have over your personal data.

We are committed to handling personal data responsibly and in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

1. Data Controller

JobStacker is the data controller in respect of personal data we collect directly from you (such as your account and profile information). Where you enter your customers’ personal data into the Service, you remain the data controller of that data and JobStacker acts as your data processor. Our contact details for privacy matters are set out in clause 13.

2. Personal Data We Collect

2.1 Account and Profile Data

When you register and set up your profile, we collect: name and email address; hashed password (stored and managed by Supabase Auth — we never have access to your plaintext password); business name, telephone number, and business address; region and country (used to determine currency and tax labelling); and company logo (optional, for PDF branding).

2.2 Quote and Job Data

The Service stores all data you enter to create and manage quotes and jobs, including: quote line items, descriptions, pricing, tax rates, and totals; job scheduling information (date, time, location, notes); and quote status and payment tracking information.

2.3 Customer Data You Enter

You may enter personal data about your customers into the Service, including their name, email address, telephone number, and address. You are the data controller in respect of this data. We process it on your behalf as your data processor, solely to provide the Service to you.

2.4 Subscription and Billing Data

We receive limited billing information via our payment processor, Stripe. This includes your Stripe customer ID, subscription plan tier, subscription status, and billing period dates. We do not store your payment card details; these are handled entirely by Stripe.

2.5 Technical and Usage Data

We collect limited technical data, including authentication tokens, your region preference, and onboarding status, stored locally in your browser. Our servers log request metadata (HTTP method, path, response status, duration) for operational purposes. We do not use analytics or advertising tracking tools; no cookies beyond authentication cookies are set.

2.6 AI Feature Data

When you use the AI quote generation feature (available on paid plans), the natural language description of work that you type is transmitted to a third-party AI provider (currently Groq and/or OpenAI) to generate a structured quote. We do not transmit your customers’ names, contact details, or other personal data to AI providers. See clause 6.3 for further details.

3. Purposes and Lawful Basis for Processing

We only process personal data where we have a lawful basis for doing so under UK GDPR Article 6. The table below sets out our main processing activities and their lawful basis.

Where we rely on legitimate interests, we have conducted a balancing assessment and determined that our interests are not overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests; see clause 10.

4. Cookies and Browser Storage

We use the following browser-based storage mechanisms:

• Authentication session cookie (“supabase-auth-token”) — set by our server-side middleware to maintain your session. This cookie is necessary for the Service to function.
• localStorage items — we store your authentication token, region preference, and onboarding status flags locally in your browser. These are functional and strictly necessary to provide the Service.

We do not use analytics cookies, advertising cookies, or any third-party tracking scripts. No non-essential cookies are set. Because only strictly necessary cookies and storage are used, a consent banner is not required under PECR. However, you may clear browser storage at any time via your browser settings, which will require you to log in again.

5. Data Storage and Retention

5.1 Where Data is Stored

All personal data entered into the Service (account data, customer data, quotes, and jobs) is stored in a PostgreSQL database hosted by Supabase, Inc. on servers based in the United States. See clause 7 on international transfers.

5.2 Retention Periods

• Account and profile data: retained for the duration of your Account, plus up to 30 days following account deletion to allow recovery in case of accidental deletion.
• Quote and job data: retained for the duration of your Account, plus up to 30 days following account deletion.
• Customer data you have entered: retained as above.
• Billing metadata: retained for 7 years from the relevant transaction date, as required by HMRC financial record-keeping obligations.
• Server logs: retained for up to 30 days on a rolling basis.

5.3 Account Deletion

You may request deletion of your Account via your account settings or by contacting us at the address in clause 13. On account deletion, your personal data will be purged within 30 days, subject to the billing retention requirement above and any overriding legal obligation.

6. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal data. We share personal data only with the third-party service providers described below, who act as our data processors and are contractually bound to process data only on our instructions.

6.1 Supabase, Inc. (Database and Authentication)

Supabase provides our database and authentication infrastructure. All user account data, customer data, quotes, and jobs are stored with Supabase. Data is stored in the United States. We have entered or will enter into a Data Processing Agreement with Supabase that includes Standard Contractual Clauses (SCCs) as required by UK GDPR for international transfers.

6.2 Stripe, Inc. (Payment Processing)

Stripe processes subscription payments. We share your email address, an internal user identifier, and your selected subscription plan with Stripe to initiate checkout. Stripe handles all payment card data directly; JobStacker never receives or stores your card details. Stripe operates under its own Data Processing Agreement, available at stripe.com/dpa.

6.3 Groq, Inc. and/or OpenAI, L.L.C. (AI Features)

When you use the AI quote generation feature, the natural language description of work you enter is transmitted to Groq or OpenAI to generate a quote suggestion. We transmit only the work description text — no customer names, contact details, addresses, or any other personal data are included in this transmission. Both providers have Data Processing Agreements covering this processing. If you do not wish to use AI features, you may use the Service on the Solo tier, which does not include AI functionality.

6.4 Other Disclosures

We may disclose personal data: (a) to comply with a legal obligation or court order; (b) to protect the vital interests of any person; (c) in connection with a merger, acquisition, or sale of assets (where the acquirer will be bound by equivalent data protection obligations); or (d) to enforce our Terms or protect our legal rights.

7. International Data Transfers

Our data processors — Supabase, Stripe, Groq, and OpenAI — are based in the United States. The United States does not currently benefit from a UK adequacy decision. Data transfers to these processors are carried out under the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) adopted in accordance with UK GDPR Article 46. Copies of the relevant transfer mechanisms are available on request.

8. Security

8.1 Security Measures

We implement technical and organisational measures designed to protect personal data against unauthorised access, disclosure, loss, or destruction. Our current measures include: encrypted transmission of all data over HTTPS/TLS; database encryption at rest (managed by Supabase); row-level security policies ensuring each user can access only their own data; bcrypt-hashed passwords (handled by Supabase Auth); input validation and sanitisation on all API endpoints; rate limiting on AI API endpoints to prevent abuse; CORS and origin validation controls; and JWT-based authentication verified on every API request.

8.2 Security Disclaimer

Despite the measures described above, no system connected to the internet can be guaranteed to be completely secure. We cannot warrant that data transmissions over the internet are entirely secure or that unauthorised third parties will never succeed in defeating our security measures. You provide personal data to the Service at your own risk. We will promptly notify you and the Information Commissioner’s Office (ICO) of any personal data breach to the extent required by UK GDPR Article 33 and 34.

8.3 Known Limitations

We periodically audit our security posture. Where we identify gaps, we work to address them on a risk-prioritised basis. If you discover a potential security vulnerability, please disclose it responsibly by contacting us at the address in clause 13 before making it public.

9. Children’s Privacy

The Service is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a child under 18 without appropriate parental consent, we will delete that data promptly.

10. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, contact us using the details in clause 13. We will respond within one calendar month (or notify you of any extension, as permitted under UK GDPR).

10.1 Right of Access

You have the right to obtain confirmation of whether we hold personal data about you, and to receive a copy of that data together with information about how it is processed.

10.2 Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete personal data completed. You can update most account and profile data directly within the Service.

10.3 Right to Erasure

You have the right to request deletion of your personal data where: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent and no other lawful basis applies; (c) you object to processing and we have no overriding legitimate grounds; (d) the data has been unlawfully processed; or (e) deletion is required to comply with a legal obligation. Erasure is subject to retention requirements described in clause 5.2.

10.4 Right to Restriction

You have the right to request that we restrict processing of your personal data in certain circumstances, such as where you contest its accuracy or have objected to processing pending verification of our legitimate grounds.

10.5 Right to Data Portability

You have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract and carried out by automated means. We will implement a data export feature to facilitate this right.

10.6 Right to Object

You have the right to object at any time to processing of your personal data where we rely on legitimate interests (Art. 6(1)(f)) as our lawful basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

10.7 Automated Decision-Making

We do not make solely automated decisions that produce legal or similarly significant effects concerning you.

10.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113, if you believe we have not complied with our data protection obligations. We would appreciate the opportunity to address your concerns directly before you contact the ICO.

11. Third-Party Links

The Service may contain links to third-party websites or services. This Privacy Policy applies only to the JobStacker Service. We are not responsible for the privacy practices of any third-party sites and encourage you to review their privacy policies before providing any personal data.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, the Service, or applicable law. Where we make material changes, we will notify you by email or in-app notification at least 30 days before the changes take effect. The effective date at the top of this document indicates when the current version came into force. We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have a privacy concern, please contact us at:

We aim to respond to all privacy-related requests within 5 business days and to complete substantive responses within the statutory timeframe.