Privacy Policy
Last updated: 21 May 2026 Effective from: [LAUNCH DATE — update at go-live]
DRAFT — assumptions to confirm before publishing
- Legal entity: assumed to be a UK limited company "BOB O JOB LTD" with a UK registered office. Replace placeholders below with your actual entity name, company number, and registered address.
- ICO registration: this policy assumes you are registered with the UK Information Commissioner's Office. If not, register before launch — it's a legal requirement and costs £40–£60/year.
- Data controller for both customer and jobber data is bob-o-job. (Stripe and other processors are joint or independent controllers for some of their own purposes.)
- No international transfers outside UK/EEA other than via SCCs with named subprocessors (Stripe US, PostHog EU region, Mapbox US, Resend EU/US). Confirm with each.
- No automated decision-making with legal effect in v1 — the matching engine recommends Jobbers but humans (customers) make the final choice. If that changes (e.g. auto-assignment), GDPR Article 22 disclosure must be added.
- DPO not appointed — relying on a privacy contact. Reassess if processing scale grows.
1. Who we are
This Privacy Policy explains how BOB O JOB LTD ("bob-o-job", "we", "us", "our") collects, uses, stores, and shares personal data when you use the bob-o-job platform — including our website at www.bob-o-job.com, our mobile apps, and any related services (collectively, the "Service").
Data controller: BOB O JOB LTD [Registered office address] Company number: 17231669 Registered in England and Wales.
Privacy contact: Email: admin@bob-o-job.co.uk Postal: [Address as above]
We are registered with the UK Information Commissioner's Office (ICO) under registration number [ICO number].
2. Scope of this policy
This policy applies to:
- Customers — people who post jobs and hire service providers through the Service.
- Jobbers — service providers offering cleaning, gardening, handyman, dog-walking, general tasks, and events/hospitality services through the Service.
- Visitors — anyone browsing our website or apps without an account.
Where processing differs between customers and jobbers, we say so.
3. What personal data we collect
3.1 Information you give us
When you create an account (customers and jobbers):
- Name
- Email address
- Phone number
- Password (stored as a hashed value — we never see your password)
- Profile photo (optional)
- Postcode and/or address
When you become a jobber, additionally:
- Identity verification data (collected and processed by Stripe Identity on our behalf — see Section 7). This includes a government-issued ID document and a selfie.
- Right-to-work check information where applicable
- Qualifications, certifications, and equipment claims
- Service area and availability windows
- Bank account details for payouts (collected by Stripe; we do not store these)
- Insurance documentation (if relevant to the category)
- Tax status (for tax reporting where required by law)
When you post a job (customers):
- Job description and category
- Location of the job (address, postcode, latitude/longitude)
- Scheduling preferences
- Photos relevant to the job (before photos, problem descriptions)
- Price preferences and budget
- Payment card details (collected by Stripe; we do not store these — see Section 7)
When you communicate through the Service:
- Messages exchanged between customers and jobbers
- Support enquiries
- Dispute-related correspondence
- Reviews and ratings you leave or receive
3.2 Information we collect automatically
Technical data (all users):
- IP address
- Browser type and version
- Device type, operating system, and screen resolution
- Time zone and language settings
- Pages visited, features used, time spent
- Referring URL
Location data (jobbers, while using the jobber app):
- Real-time GPS location when you mark yourself as "online" and available for work
- Last known location for radius-based matching
- Route information when en route to a job (for customer safety and ETA estimates)
You can disable location sharing at any time through your device settings, but doing so will prevent you from receiving job notifications based on proximity.
Cookies and similar technologies:
- Strictly necessary cookies (always on — authentication, session management)
- Analytics cookies (PostHog — only with your consent)
- Preference cookies (language, theme — only with your consent)
See our separate Cookie Policy / cookie banner for details and to manage preferences.
3.3 Information from third parties
- Identity verification results from Stripe Identity (pass/fail and supporting metadata; we do not retain the underlying documents — Stripe does, per their retention policy).
- Payment status updates from Stripe.
- Authentication information from Google (if you sign in via Google OAuth — name, email, profile photo).
- Fraud and risk signals from Stripe Radar where applicable.
4. How we use your personal data and our legal basis
Under UK GDPR, we must have a lawful basis for processing your personal data. The table below summarises what we do and why.
| Purpose | Data used | Lawful basis |
|---|---|---|
| Create and manage your account | Name, email, phone, password hash, profile data | Contract (Article 6(1)(b)) — necessary to provide the Service |
| Verify jobber identity and right to work | ID document, selfie, verification result | Contract; Legitimate interest in platform safety; Legal obligation where right-to-work checks apply |
| Match customers with jobbers | Job details, location, category, jobber availability, tier, equipment, ratings | Contract |
| Process payments and payouts | Transaction details, payment method (via Stripe), bank details (via Stripe), VAT/tax info | Contract; Legal obligation (tax, anti-money laundering) |
| Send transactional emails (booking confirmations, receipts, password resets, dispute updates) | Email, transaction details | Contract |
| Send marketing emails and platform updates | Email, communication preferences | Consent (Article 6(1)(a)) — opt-in, with easy unsubscribe |
| Detect and prevent fraud, abuse, and safety incidents | Account data, transaction patterns, IP, device data | Legitimate interest in platform integrity and user safety |
| Comply with legal obligations (tax, AML, court orders) | As required | Legal obligation (Article 6(1)(c)) |
| Resolve disputes between customers and jobbers | Messages, transaction history, photos, location/timing data | Contract; Legitimate interest in fair dispute resolution |
| Analytics and product improvement | Pseudonymous usage data via PostHog | Consent (cookie banner opt-in) |
| Real-time location tracking when en route to a job | GPS data | Contract; Legitimate interest in customer safety and ETA accuracy |
| Customer support | Contact details, messages, account data | Contract; Legitimate interest in providing support |
| Operate trust and safety mechanisms (check-in codes, before/after photos, escrow) | Job and account data, photos | Contract; Legitimate interest in platform safety |
Where we rely on legitimate interests, we have considered the impact on your rights and freedoms and concluded that the processing is necessary and proportionate. You have the right to object — see Section 10.
Where we rely on consent, you can withdraw consent at any time without affecting prior processing.
5. Special category data
Identity verification may involve processing of biometric data (facial recognition in a selfie match against an ID document). This is a special category of personal data under Article 9 UK GDPR.
We rely on:
- Your explicit consent (Article 9(2)(a)) for the biometric verification check, given at the point of jobber onboarding.
- Substantial public interest (Article 9(2)(g)) for preventing fraud and ensuring service-provider trustworthiness on a public-facing marketplace, in line with the Data Protection Act 2018 Schedule 1 Part 2.
Stripe Identity performs the actual biometric processing on our behalf. The biometric template is held by Stripe under its own retention policy; we receive only the verification result.
6. Who we share your personal data with
We share personal data only where necessary and only with parties bound by appropriate safeguards.
6.1 Between users
- Customers see a jobber's name, profile photo, ratings, reviews, tier, approximate location, and acceptance/availability status when a jobber is matched to their job.
- Jobbers see a customer's first name, job details (description, location at confirmation, photos), and rating after the job.
- Reviews and ratings are visible publicly to other users of the platform.
6.2 Service providers (data processors)
We use the following processors. Each is under a written data processing agreement with us.
| Processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Web hosting (Next.js application) | US (with EU edge) — SCCs in place |
| Railway Corp | Backend server hosting (Fastify) | US — SCCs in place |
| Neon Inc. | Database hosting (Postgres) | EU (eu-west-2, London region) |
| Stripe Payments Europe Ltd | Payment processing, identity verification, fraud prevention | Ireland (EU); some processing in US under SCCs |
| Resend Inc. | Transactional email delivery | US — SCCs in place |
| Mapbox Inc. | Mapping, geocoding | US — SCCs in place |
| PostHog Inc. | Product analytics (only with consent) | EU region (eu.posthog.com) |
| Google LLC | OAuth sign-in (only if you choose this method) | EU/US — SCCs in place |
| OpenAI Ireland Ltd | AI-assisted job classification (job descriptions only — no personal data deliberately passed) | EU; some inference in US under SCCs |
| Firebase Cloud Messaging / Apple Push Notification Service | Mobile push notifications | US — Google/Apple terms |
We do not sell your personal data to anyone. We do not share it for third-party marketing.
6.3 Legal and safety disclosures
We may disclose your personal data:
- To comply with a court order, subpoena, or legal request from a competent authority
- To enforce our terms of service or protect our rights
- To prevent or investigate fraud, illegal activity, or threats to safety
- In connection with a corporate transaction (sale, merger, acquisition) — only under confidentiality obligations and with appropriate notice
7. Payment data
Payment card details are entered directly into Stripe Elements on our website and apps and transmitted directly to Stripe. We never see or store your full card number, CVV, or bank account details.
Stripe is the data controller for the card data we route through it. See Stripe's privacy policy at https://stripe.com/privacy.
8. International data transfers
Some of our processors are based in the United States. Where personal data is transferred outside the UK or EEA, we rely on:
- UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) with the processor
- Adequacy decisions where they apply (e.g. UK–EU adequacy)
- Supplementary technical and organisational measures (encryption in transit and at rest)
We have data protection impact assessments (DPIAs) in place for higher-risk processing including identity verification and live location tracking.
9. How long we keep your personal data
| Data category | Retention period |
|---|---|
| Active account data | While your account is open + 6 years after closure (UK statutory limitation period for contract and tort claims) |
| Transaction records | 6 years after the transaction (HMRC requirement) |
| Identity verification records | 5 years after account closure (AML good practice) |
| Communications (messages, support) | 2 years after closure, or longer if a dispute is unresolved |
| Disputes and safety incidents | 6 years after resolution |
| Marketing email subscriptions | Until you unsubscribe |
| Real-time location data | Deleted within 30 days unless tied to a completed job |
| Analytics data (PostHog) | 12 months from collection |
| AI classifier logs (job descriptions submitted for classification) | 90 days |
| Cookies | See cookie banner — varies by cookie |
| Backups | Up to 35 days after deletion from production systems |
After the retention period, data is either deleted or anonymised so it can no longer be linked to you.
10. Your rights
Under UK GDPR you have the following rights. You can exercise any of these by emailing privacy@bob-o-job.com. We will respond within one month (extendable by two further months for complex requests).
- Right of access — get a copy of the personal data we hold about you.
- Right to rectification — correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — ask us to delete your data where there's no good reason for us to keep it. (We may need to retain some data to comply with legal obligations — see Section 9.) You can also delete your account directly in-app.
- Right to restrict processing — ask us to pause certain processing while we resolve a query.
- Right to data portability — get your data in a machine-readable format.
- Right to object — object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent — where processing is based on consent (e.g. analytics, marketing).
- Right not to be subject to solely automated decision-making with legal or similarly significant effects. We do not currently make any such decisions about you.
- Right to lodge a complaint with the UK Information Commissioner's Office at https://ico.org.uk/make-a-complaint/ or 0303 123 1113. We'd appreciate the chance to address your concerns first, but you can complain to the ICO without contacting us.
There is no fee for most requests. For manifestly unfounded or excessive requests we may charge a reasonable fee or refuse to act on the request, and we will tell you why.
We may need to verify your identity before fulfilling a request.
11. Security
We take security seriously. Measures include:
- Encryption in transit (TLS 1.2+) and at rest
- Hashed and salted password storage (we never store plaintext passwords)
- Principle of least privilege for staff access
- Two-factor authentication on internal admin accounts
- Regular security reviews and dependency patching
- Audit logging of administrative actions
No system is completely secure. If we become aware of a personal data breach that risks your rights and freedoms, we will notify the ICO within 72 hours where required, and you directly where the risk is high.
12. Children
The Service is not directed to anyone under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@bob-o-job.com and we will delete it.
13. Changes to this policy
We may update this policy from time to time. When we do, we will:
- Update the "Last updated" date at the top
- Notify you by email if the changes are material (e.g. new categories of data, new processors handling sensitive data, changes to your rights)
- Keep an archive of previous versions available on request
Continued use of the Service after a change means you accept the updated policy.
14. Contact
Questions, requests, or complaints:
Email: admin@bob-o-job.co.uk Post: BOB O JOB LTD, [Registered office address]
You also have the right to contact the UK Information Commissioner's Office: Web: https://ico.org.uk Phone: 0303 123 1113
This Privacy Policy is provided in English. If there is any conflict between this version and a translation, the English version prevails.