Skip to content
Sign in Start free trial
Siteflo Quoteflo Cashflo Pricing Contact
Sign in Start free trial
Legal

Privacy Policy

How we collect, use, and protect your personal data.

Last updated: 19 May 2026

Draft notice: This is a draft policy template and has not yet been reviewed by a qualified solicitor. You should not rely on it for a live commercial service without independent legal review.

Contents

  1. Who we are
  2. What data we collect
  3. How we use your data and our legal basis
  4. Third-party processors
  5. The Adflo tracker and cookies
  6. How long we keep your data
  7. Where your data is stored
  8. Your rights
  9. How to make a complaint
  10. How we protect your data
  11. Children
  12. Changes to this policy

1. Who we are

Flobase is a SaaS platform for UK trade businesses, operated as a sole trader based in Cambridgeshire, England. For the purposes of UK data protection law, Flobase is the data controller for the personal data we hold about you.

If you have any questions about this policy or how we handle your data, please contact us:

We are registered with the Information Commissioner's Office (ICO).

2. What data we collect

We collect the following categories of personal data, depending on which modules you use:

Account and contact data

When you register for a Flobase account, we collect your name, email address, and business name. We use this to create and manage your account and to communicate with you about the service.

Business operational data

Through your day-to-day use of the platform, you enter business data such as customer names and contact details, job records, quotes, invoices, service contracts, and financial records. This data belongs to you — we process it solely to provide the service to you.

Google Ads performance data (Adflo users)

If you use the Adflo module, you can connect your Google Ads account via Google OAuth, which you explicitly authorise. We read advertising campaign data and performance metrics to display insights within Flobase. We do not use this data for any purpose other than providing Adflo to you.

Website visitor analytics data (Adflo tracker users)

If you enable the Adflo first-party analytics tracker on your own website, that tracker collects data about your website visitors — including pages visited, referring URLs, ad attribution data (such as Google Click IDs), and device and browser information. This data is collected on your behalf to provide ad performance attribution within Adflo.

Usage and technical data

We collect technical data about how you use Flobase, including browser type, IP address, and pages accessed. This is used to maintain the security and performance of the service. We also use Plausible Analytics — a privacy-focused analytics tool that processes only anonymised, aggregate data and does not use cookies.

Payment data

Billing information is collected and processed by Stripe, our payment provider. We do not store your full card details on our servers. Please see Stripe's own privacy policy for details of how they handle payment data.

3. How we use your data and our legal basis

We process your personal data on the following legal bases under UK GDPR:

Contract performance (Article 6(1)(b))

We process your account data and business operational data because it is necessary to perform our contract with you — that is, to provide you with the Flobase service.

Legitimate interests (Article 6(1)(f))

We process technical and usage data to maintain the security, reliability, and performance of our service. Our legitimate interest is in operating a secure and functional platform. We have balanced this against your privacy interests and are satisfied the processing is appropriate.

Consent (Article 6(1)(a))

Where the Adflo tracker is deployed on your website, the collection of data from your visitors relies on consent obtained by you through a cookie consent banner. You are responsible for obtaining valid consent from your visitors in accordance with UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

4. Third-party processors

We use the following third-party service providers to operate Flobase. Each acts as a data processor on our behalf, and we have data processing agreements or equivalent safeguards in place with each:

Processor Role Location Safeguards
Vercel Website hosting and serverless functions USA (CDN global) Standard Contractual Clauses
Supabase Database and authentication EU / UK Data Processing Agreement
Stripe Payment processing USA PCI-DSS certified; Standard Contractual Clauses
Resend Transactional email delivery USA Standard Contractual Clauses
Google OAuth and Ads data access (Adflo) USA Standard Contractual Clauses
Microsoft Clarity Website heatmaps and session analytics (Adflo, optional) USA Standard Contractual Clauses

We also use Plausible Analytics for privacy-preserving website analytics on flobase.co.uk. Plausible does not use cookies and processes only anonymised aggregate statistics — it does not constitute personal data processing under UK GDPR.

We do not sell your personal data. We do not share your business data with other Flobase customers.

5. The Adflo tracker and cookies

The Adflo module includes an optional first-party analytics tracker that you can install on your own website. This tracker is designed to capture visitor behaviour and ad attribution data — for example, recording which visitors arrive via a Google Ads click.

What the tracker collects

When deployed, the tracker may collect the following data about your website visitors:

  • Pages visited and time spent on site
  • Referring source (e.g. Google search, direct, paid ad)
  • Google Click ID (GCLID) and other ad attribution parameters
  • Browser type and device category (desktop/mobile)
  • A pseudonymous visitor identifier stored in a first-party cookie or local storage

The tracker does not collect names, email addresses, or other directly identifying personal data from your visitors.

Your responsibilities as the website owner

When you install the Adflo tracker, you become the data controller for data collected about your website visitors. You are responsible for:

  • Displaying a compliant cookie consent banner before any non-essential cookies are set
  • Obtaining valid, informed consent from your visitors in line with UK GDPR and PECR
  • Disclosing the Adflo tracker in your own website's privacy policy

We provide guidance on implementing a consent mechanism alongside the Adflo tracker. The tracker is designed to respect consent signals — it will not set cookies unless consent has been granted.

Microsoft Clarity (optional)

Adflo optionally integrates with Microsoft Clarity for heatmaps and session recordings. If you enable this integration, Clarity's own privacy terms apply, and you must disclose its use to your website visitors.

6. How long we keep your data

  • Account and contact data: Retained for as long as your account is active. Deleted within 30 days of account closure.
  • Business operational data: Retained for the duration of your subscription. You can export your data at any time. Permanently deleted within 30 days of account closure.
  • Financial and billing records: Retained for 7 years in line with HMRC requirements.
  • Google Ads data (Adflo): Retained only while your Adflo subscription is active. Deleted within 30 days of disconnection or account closure.
  • Website visitor data (Adflo tracker): Retained for 13 months by default, in line with standard analytics data retention practices. You may configure a shorter retention period.
  • Technical and usage logs: Typically retained for 90 days.

7. Where your data is stored

Your account and business data is stored in Supabase, with servers located in the EU or UK. We select EU/UK hosting regions wherever possible.

Some of our third-party processors are based in or route data through the United States. Where this occurs, we ensure appropriate safeguards are in place — primarily Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner. A full list of processors and their locations is in section 4 above.

8. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

  • Right of access: You can request a copy of the personal data we hold about you.
  • Right to rectification: You can ask us to correct inaccurate or incomplete data.
  • Right to erasure: You can ask us to delete your personal data in certain circumstances (for example, where it is no longer necessary for the purpose for which it was collected).
  • Right to restrict processing: You can ask us to limit how we use your data while a query is being resolved.
  • Right to data portability: You can ask for your data in a structured, machine-readable format.
  • Right to object: You can object to processing based on legitimate interests.
  • Rights relating to automated decision-making: We do not make automated decisions that have a significant legal effect on you.

To exercise any of these rights, please email info@flobase.co.uk. We will respond within one calendar month. We may need to verify your identity before processing a request.

9. How to make a complaint

If you are unhappy with how we handle your personal data, please contact us first at info@flobase.co.uk and we will do our best to resolve your concern.

If you remain dissatisfied, you have the right to lodge a complaint with the UK's supervisory authority:

  • Information Commissioner's Office (ICO)
  • Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Telephone: 0303 123 1113
  • Website: ico.org.uk

10. How we protect your data

We take reasonable technical and organisational measures to protect your data, including:

  • HTTPS encryption for all data in transit
  • Encryption for data at rest within Supabase
  • Row-level security policies that ensure your business data is isolated from other Flobase customers' data
  • Access controls limiting which individuals can access production systems
  • All payment processing handled by Stripe — we never handle raw card data

No method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we take our obligations seriously and will notify you and the ICO promptly in the event of a data breach that poses a risk to your rights.

11. Children

Flobase is designed for business owners and trade professionals. The service is not intended for anyone under the age of 18. We do not knowingly collect personal data from under-18s. If you believe we have inadvertently collected such data, please contact us at info@flobase.co.uk and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "last updated" date at the top of this page. Where a change is material, we will notify you by email to the address associated with your account. We encourage you to review this policy periodically.

Continued use of Flobase after a policy update constitutes your acceptance of the revised policy.

← Back to home