Privacy Notice

Last updated: 18 April 2026

This notice explains what personal data Holdfort collects, why, how long we keep it, and what you can do about it. It's written in plain English on purpose — privacy isn't a trick question.

1. Who we are

Holdfort is a WhatsApp-based invoicing service for UK tradespeople. Holdfort is operated as a UK sole trader business. Our trading name is Holdfort and we're based in the United Kingdom.

Contact for anything in this notice, or to exercise your rights: hello@holdfort.uk.

Under UK GDPR we are the "data controller" for the personal data described below. Our ICO registration number is ZC121084.

2. What data we collect

• Your WhatsApp phone number and the messages you send us
• Voice notes you send us (held only briefly — see retention)
• Invoice data you create: customer names, job descriptions, addresses, line items, prices, VAT, totals
• Basic account info: your trading name, any logo you upload, your VAT number if you have one
• Technical data: timestamps and message IDs needed to run the service

3. Why we process it (lawful basis)

• Contract (UK GDPR Art. 6(1)(b)): to provide the invoicing service you signed up for
• Legitimate interests (Art. 6(1)(f)): service security, preventing fraud, diagnosing problems
• Legal obligation (Art. 6(1)(c)): keeping invoice records to meet UK tax record-keeping rules

4. How long we keep it

• Voice notes: deleted as soon as we've used them to build your invoice — typically within seconds of you sending them. We do not archive, play back, review, or use voice recordings to train AI models. Our upstream AI providers (OpenAI Whisper, Anthropic Claude) do not use API content to train their models under their standard commercial terms that we operate under.
• Invoice data: kept while your account is active so you can edit it, re-send it, and track whether you've been paid. Your invoice records are your own business records — you are the one with the HMRC tax record-keeping obligation. When you close your account, we delete everything we hold (see the "Quick erasure shortcut" below).
• Account data: your phone number, trading name, and basic profile settings. Kept while your account is open, deleted within 30 days of cancellation.

5. Who we share it with

We use a small number of trusted third-party providers to run the service. They only process your data on our instructions:

• Meta Platforms Ireland Ltd — WhatsApp Business Cloud API, for message delivery
• Anthropic PBC (USA) — AI processing (Claude), used to turn your message content into invoice drafts
• OpenAI OpCo, LLC (USA) — voice-to-text transcription (Whisper)
• Hetzner Online GmbH (Germany) — server hosting inside the EU

We do not sell your data. We do not share it with advertisers. We do not share it with anyone else unless we're legally required to (for example, a valid order from a UK court or regulator).

6. International data transfers

Some of our providers (Anthropic, OpenAI) are based in the USA. Where your data leaves the UK/EEA, it does so under the UK International Data Transfer Agreement or EU Standard Contractual Clauses, which provide legal safeguards required by UK GDPR.

7. Your rights

Under UK GDPR you have the right to:

• Ask for a copy of the personal data we hold about you
• Ask us to correct anything that's wrong
• Ask us to delete your data (subject to legal retention rules like the HMRC 6-year rule)
• Ask us to restrict or stop certain processing
• Object to processing we do on legitimate-interests grounds
• Ask for a portable copy of your data

To exercise any of these, email hello@holdfort.uk. We'll respond within 30 days. These requests are free.

Quick erasure shortcut. You can trigger a full data erasure yourself, without emailing us, by sending the message “delete my data” to our WhatsApp number. Your profile, jobs, voice notes, photos, and generated invoices are erased within seconds. This is our implementation of your Right to Erasure under UK GDPR Art. 17.

8. Complaints

If you think we've handled your data wrongly, we'd rather you told us first — email above — so we can try to fix it. But you also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.

9. Cookies and tracking on this website

This marketing website uses Vercel Web Analytics, Google Analytics 4 and the Meta Pixel to measure visitor behaviour. These drop first-party cookies for session and user identification. You can opt out of GA4 via browser settings and Meta Pixel via your Meta ad settings.

10. Automated decisions

We use AI to draft invoices from your messages, but every draft is shown to you for approval before anything is sent to your customer. You're always the one pressing send. There is no fully-automated decision-making that produces legal or similarly significant effects on you under UK GDPR Art. 22.

11. Changes to this notice

If we make material changes, we'll tell you on WhatsApp before they take effect. We'll also update the "last updated" date at the top of this page.