GDPR — OnlyTrade

The short version

Under UK GDPR, you have eight clear rights over personal data we hold about you. You can ask us to give you a copy, correct it, delete it, stop processing it, or move it elsewhere. We will respond within one calendar month, for free in almost every case, and we will never make it hard.

Our roles: controller vs processor

Under GDPR, your rights and our obligations depend on whether we’re a data controller or a data processor. OnlyTrade is both — for different data.

For your account data Controller

We control data about you as an OnlyTrade subscriber (name, email, business details, billing). You exercise your GDPR rights directly with us. That’s what this page is for.

For your customers’ data Processor

We process data about your customers (contacts, jobs, invoices) on your behalf. You are the controller. If your customer asks you to exercise a GDPR right, you handle it — we provide tools to help you (export, delete, etc.).

Your eight rights

Right to be informed

To know what data we hold, why, how we use it, and who we share it with. See our Privacy Policy.

Right of access

To request a copy of the personal data we hold about you (a “subject access request”).

Right to rectification

To have inaccurate or incomplete data corrected. Most things you can edit directly in your account.

Right to erasure

Also known as the “right to be forgotten”. Subject to some legal exceptions (e.g. we must keep invoicing records for 6 years under HMRC rules).

Right to restrict processing

To pause processing while a dispute is resolved. We’ll keep the data but stop using it.

Right to data portability

To receive your data in a common, machine-readable format (CSV, JSON) so you can move to another service.

Right to object

To object to processing based on legitimate interests. Absolute right to object to direct marketing.

Rights around automated decisions

You can ask for a human review of any fully automated decision that significantly affects you. We don’t currently make decisions like that, but if we do we’ll tell you.

How to make a request

Email us

Send an email to privacy@onlytrade.ai from the email address on your account. Tell us which right you want to exercise and, if relevant, what specific data you’re asking about.

We verify your identity

We may ask for additional information to confirm you are who you say you are. This protects you from someone else accessing your data.

We respond within one calendar month

Usually much sooner. For particularly complex or voluminous requests, we may extend by up to two further months — we’ll tell you within the first month if that’s needed.

No charge in normal cases

Requests are free. We may charge a reasonable admin fee only for requests that are manifestly unfounded or excessive — this is rare and we’ll explain clearly if it applies.

If we refuse

Occasionally we must refuse a request (for example, if erasing data would breach a legal obligation like HMRC record-keeping). We will always explain why, and tell you how to complain.

What we do with requests

Access: we export all the personal data we hold about you as structured files (CSV, JSON) plus a plain-English summary.
Rectification: most profile data you can edit yourself. For anything you can’t edit directly, we’ll update it within 14 days.
Erasure: we remove your data from our live systems within 14 days. Backups are purged on their rotation cycle (maximum 35 days). Legal retention periods (e.g. invoicing) may require us to keep some data longer — we’ll explain.
Portability: we export in CSV or JSON, including customer lists, job records, and quotes/invoices in standard formats.

International transfers

Your data is stored primarily in the UK and EU. Where any sub-processor is based outside the UK/EU, we use UK-approved safeguards (International Data Transfer Agreement, Standard Contractual Clauses, or applicable adequacy decisions). See Privacy Policy § 6.

If we suffer a data breach

If a personal data breach poses a risk to your rights or freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware, as required by UK GDPR. If the risk is high, we will notify you directly without undue delay, explain what happened, what data was involved, and what we’re doing about it.

Your right to complain to the ICO

If you’re not happy with how we’ve handled your data or your request, you have the right to complain to the UK’s data protection regulator:

Information Commissioner’s Office (ICO)
Website: ico.org.uk/make-a-complaint
Phone: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We’d rather fix things directly, so please do come to us first — but you’re entitled to go straight to the ICO if you prefer.

Data Processing Agreement (DPA)

If your use of OnlyTrade means we’re processing personal data on your behalf (i.e. your customer data), a Data Processing Agreement is automatically incorporated into our Terms of Service. A standalone signable DPA is available on request for customers who need one for their own compliance records — email privacy@onlytrade.ai.

Records of processing activities (ROPA)

We maintain a written record of processing activities as required by Article 30 UK GDPR. This covers what we process, why, for how long, the categories of recipients, and the safeguards applied. It’s available to the ICO on request.

Data Protection Officer

We are not required to appoint a statutory Data Protection Officer at our current scale. Our privacy lead is the Managing Director of Howells Digital Ltd. All privacy questions go to privacy@onlytrade.ai.

Exercising your rights will never affect the service you get from OnlyTrade. We’ll never penalise you, downgrade your account, or treat you differently for making a request.

UK GDPR & your rights