Privacy Policy

Last updated 28 June 2026

This policy explains how Graft Up(“Graft Up”) handles personal data, in line with UK GDPR and the Data Protection Act 2018. Contact us about privacy at support@graftup.co.uk.

1. Who is the controller

Graft Up is the data controller for your account and how you use the service. For the information you enter about your own customers (names, addresses, contact details, job history), you are the controller and Graft Up acts as your processor, handling that data only on your instructions to run the service.

2. What we collect

  • Account details - your name, email and business profile.
  • Business data you enter - customers, properties, jobs, quotes, invoices, certificates, photos and notes.
  • Subscription data - your plan status and the identifiers our payment processor returns. We do not store your card details.
  • Technical data - basic usage and device/log information needed to run and secure the service.

3. How and why we use it

  • To provide the service to you (performance of our contract).
  • To secure, maintain and improve Graft Up (our legitimate interests).
  • To send you service and account emails, and - only with your consent - any marketing.
  • To comply with our legal obligations.

4. Who we share it with

We don't sell your data. We use trusted sub-processors to run the service:

  • Supabase - database, authentication and file storage.
  • Vercel - application hosting.
  • Mollie - our subscription billing.
  • Stripe - processing card/bank payments from your customers to you.
  • Resend - sending transactional email.
  • Anthropic - AI features (e.g. receipt scanning), used only if you enable them and only for the content you submit.

We may also disclose data where required by law.

5. International transfers

Some sub-processors operate outside the UK. Where they do, we rely on appropriate safeguards (such as the UK International Data Transfer Agreement or an adequacy decision).

6. How long we keep it

We keep your data while your account is active and for a reasonable period afterwards, then delete or anonymise it. You can delete records in the app at any time; routine backups cycle out over time.

7. Security

Data is encrypted in transit, access is restricted, and the app is offline-first with data held locally on your device and synced securely. No system is perfectly secure, but we take reasonable steps to protect your data.

8. Cookies & local storage

Graft Up uses your browser's local storage to run the offline-first app and to keep you signed in. We do not use third-party advertising or tracking cookies.

9. Your rights

Under UK GDPR you can ask to access, correct, delete, restrict or port your personal data, or object to certain processing. Email support@graftup.co.ukand we'll respond. You can also complain to the Information Commissioner's Office (ico.org.uk).

10. Children

Graft Up is for businesses and is not intended for anyone under 18.

11. Changes & contact

We may update this policy and will post the new version here. Questions? Email support@graftup.co.uk.