Privacy policy
Last updated: March 2026
1. Who we are
Graft Systems Ltd is a company registered in England and Wales. Our service is a CRM and job management platform built for UK tradespeople.
We are registered as a data controller with the Information Commissioner's Office (ICO). Registration number: ZC098135.
If you have any questions about this policy or how we handle your data, contact us at: hello@graft.systems
2. What data we collect
Account data. When you sign up, we collect your name, email address, phone number, business name, and trade type.
Customer data. When you use Graft to manage your business, you may store your own customers' contact details (names, email addresses, phone numbers, addresses) and job information within the platform. You are the data controller for this data. We process it on your behalf.
Usage data. We collect basic information about how you use the service (pages visited, features used) to improve the product. This does not include the content of your jobs or quotes.
Payment data: subscription billing. Your subscription payments are processed by Stripe, Inc. We do not store your payment card details. Stripe handles this directly and is subject to PCI-DSS compliance. Stripe's privacy policy is available at stripe.com/gb/privacy.
Payment data: your business bank details. As part of operating your business through Graft, you may choose to store your own business bank account details (account number, sort code, and bank name) within the platform. This information is used solely to populate your invoices and quotes so your customers know how to pay you. We store this data securely in our database. We do not share it with any third party, use it for any purpose other than displaying it on your documents, or transmit it to payment processors. You can update or remove this information at any time from Settings.
Communications. If you contact us by email, we keep a record of that correspondence.
3. How we use your data
We use your data to:
- Provide and operate the Graft service
- Generate AI-powered quotes and documents on your behalf
- Send transactional emails and SMS messages (quote confirmations, invoices, review requests)
- Process your subscription payments
- Respond to your support requests
- Improve the product
We do not sell your data. We do not use your data for advertising.
4. Legal basis for processing
- Contract: Processing your account data and customer data is necessary to provide the service you have signed up for.
- Legitimate interests: We may process limited usage data to improve the product, where this does not override your rights.
- Legal obligation: We may retain certain records where required by law (e.g. financial records).
- Legitimate interests (bank details): We store your business bank account details on the basis of your explicit instruction and legitimate interest in operating your invoicing workflow. You can remove this data at any time.
5. Who we share your data with
We use the following third-party processors to operate Graft. Each has been carefully selected and is bound by a Data Processing Agreement:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and file storage | EU (London) |
| Vercel | Application hosting and deployment | EU / US |
| OpenAI | AI-powered quote and document generation | US |
| Resend | Transactional email delivery | US |
| Stripe | Subscription payment processing | US |
| Meta (WhatsApp Business API) | Optional WhatsApp messaging integration | US |
OpenAI: When you generate a quote or use AI features, job notes and relevant context are sent to OpenAI's API for processing. We have disabled all data sharing and model training options with OpenAI. Your data is not used to train their models.
Meta (WhatsApp): If you choose to connect the WhatsApp integration, messages sent through Graft via WhatsApp are processed by Meta's WhatsApp Business API. Only message content you explicitly send through the integration is shared. The WhatsApp integration is entirely optional. If you do not connect it, no data is shared with Meta.
Your bank details: Your business bank account details (if stored) are held exclusively within Supabase and are never transmitted to any sub-processor other than Supabase for storage.
International transfers to the US are covered by Standard Contractual Clauses (SCCs) where applicable.
We do not share your data with any other third parties except where required by law.
6. How long we keep your data
- Active accounts: We keep your data for as long as your subscription is active.
- Cancelled accounts: Your data is retained for 90 days after cancellation, then permanently deleted.
- Financial records: We may retain billing records for up to 7 years as required by UK law.
You can delete your account and all associated data at any time from Settings, Account.
7. Your rights
Under UK GDPR, you have the right to:
- Access: request a copy of the personal data we hold about you
- Rectification: ask us to correct inaccurate data
- Erasure: ask us to delete your data (you can also do this yourself via account deletion)
- Portability: request your data in a machine-readable format (available via Settings, Export my data)
- Objection: object to certain types of processing
- Restriction: ask us to restrict processing in certain circumstances
To exercise any of these rights, email hello@graft.systems with the subject line "Data Request". We will respond within 30 days.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the ICO at ico.org.uk.
8. Cookies
We use a single session cookie to keep you logged in. This is strictly necessary for the service to function and does not require your consent.
We do not use advertising cookies, tracking cookies, or third-party analytics cookies.
9. Security
We take security seriously. Your data is stored in Supabase with encryption at rest and in transit. Access to production systems is restricted to authorised personnel only. All API keys are stored securely and never exposed publicly.
In the event of a data breach that affects your personal data, we will notify you and the ICO within 72 hours as required by UK GDPR.
10. Children
Graft is not intended for use by anyone under the age of 18. We do not knowingly collect data from children.
11. Changes to this policy
We may update this policy from time to time. We will notify you of significant changes by email. The latest version will always be available at graft.systems/legal/privacy.
12. Contact
Graft Systems Ltd
Email: hello@graft.systems
Website: graft.systems