Privacy Policy

ArbLink Ltd is the “data controller” for personal data processed through the Service. We are a company registered in England & Wales.

• Controller: ArbLink Ltd
• Registered office: United Kingdom (full address available on request)
• Contact: privacy@arblink.co.uk

We are not currently required to appoint a Data Protection Officer under Article 37 UK GDPR. Our designated privacy contact is the address above.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR). Where you access the Service from outside the UK, additional local laws may apply.

We collect the following categories of personal data:

• Account data — name, email address, phone number, password hash, role (member, business, subcontractor, admin) and profile photo.
• Business and subcontractor data — trading name, company registration number, VAT number, addresses, certifications, insurance details, portfolio content and service areas.
• Job and connection data — job postings, applications, messages, contacts and CRM notes you create within the Service.
• Location data — approximate or precise location you provide for job sites, tip sites, service areas or map features. We do not track background location.
• Communications — messages sent through our in-app messaging, emails and support requests.
• Technical data — IP address, device identifiers, browser type, operating system, log data, time zone, referring URLs and pages viewed.
• Usage and analytics data — feature usage, session duration, clickstream and crash diagnostics.
• Payment data — billing address and subscription tier. Card details are collected and processed directly by our payment provider; we do not store full card numbers.
• Marketing data — your preferences for receiving updates from us and waitlist status.

We do not knowingly collect special category data (e.g. health, biometric or political data). Please do not submit such information through the Service.

Under Article 6 UK GDPR we rely on the following lawful bases. The lawful basis depends on the specific purpose of processing.

• Contract (Art 6(1)(b)) — to create and operate your account, deliver the Service, process subscriptions and provide support.
• Legitimate interests (Art 6(1)(f)) — to secure the platform, prevent fraud and abuse, improve features, conduct aggregated analytics and develop our business. You may object to this processing at any time.
• Consent (Art 6(1)(a)) — for non-essential cookies, optional analytics and marketing emails. You may withdraw consent at any time without affecting earlier processing.
• Legal obligation (Art 6(1)(c)) — to comply with tax, accounting, anti-money-laundering and other legal requirements, and to respond to lawful requests from authorities.

We share personal data only with the following categories of recipient, under written contracts that include UK GDPR-compliant safeguards:

• Other users — limited profile information, job postings, messages and CRM connections you choose to share through the Service.
• Infrastructure providers — Supabase (database, authentication, storage) and our hosting and content-delivery providers.
• Communication providers — email delivery, SMS and OTP services.
• Payment processors — for subscriptions and invoicing.
• Mapping providers — to render maps and locations.
• Professional advisers — accountants, auditors, insurers and lawyers.
• Authorities — where required by law, court order or to protect rights, safety and the integrity of the Service.
• Acquirers — in the event of a merger, restructuring or sale of all or part of our business.

We do not sell your personal data.

Some of our processors are located outside the UK. When personal data is transferred outside the UK we rely on an adequacy decision by the UK government, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism. A copy of the safeguards we use is available on request.

We retain personal data only for as long as necessary for the purposes set out above. As a general guide:

• Account data — for the life of your account, plus up to 12 months after closure.
• Jobs, applications and messages — up to 24 months after the related job closes.
• Financial records — 7 years to meet UK accounting and tax requirements.
• Audit logs and security events — up to 24 months.
• Waitlist and marketing data — until you unsubscribe or withdraw consent.

When personal data is no longer required, we either delete it securely or anonymise it for aggregated analytics.

Subject to certain conditions under the UK GDPR, you have the right to:

• Access the personal data we hold about you (Art 15);
• Request rectification of inaccurate data (Art 16);
• Request erasure of your data (Art 17);
• Restrict processing (Art 18);
• Data portability (Art 20);
• Object to processing based on legitimate interests or direct marketing (Art 21);
• Withdraw consent at any time where processing is based on consent (Art 7(3));
• Not be subject to a decision based solely on automated processing with legal or similarly significant effects (Art 22). We do not currently carry out such processing.

To exercise any of these rights, contact privacy@arblink.co.uk. We respond within one month and may ask you to verify your identity. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.

We implement appropriate technical and organisational measures including encryption in transit (TLS), encryption at rest, role-based access control (RBAC), row-level security on our database, auditable access logs, and least-privilege administration. No system is perfectly secure; you are responsible for keeping your account credentials confidential.

We use cookies and similar technologies. For details, the categories we use and how to manage your preferences, see our Cookie Policy.

The Service is intended for users aged 18 and over and is not directed at children. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

We may update this policy from time to time. Material changes will be communicated through the Service or by email before they take effect. The “last updated” date at the top of this page indicates when the policy was last revised.

Questions, requests or complaints can be sent to privacy@arblink.co.uk.