Legal
Privacy Policy
Last updated: April 2026
This policy explains what personal data Cole collects, why we collect it, how we use it, and your rights as a data subject under UK GDPR and the Data Protection Act 2018.
1. Who We Are
Cole Technologies Ltd is the data controller for personal data processed through the Cole platform. We are registered with the Information Commissioner’s Office (ICO) under registration number [pending].
Data controller contact:
Cole Technologies Ltd
Email: privacy@usecole.co.uk
For data protection queries: dpo@usecole.co.uk
2. Personal Data We Collect
We collect personal data in three ways: data you give us directly, data generated by your use of the Platform, and data we receive from third parties.
2.1 Data you provide
| Category | Data collected | Why |
|---|---|---|
| Account registration | Name, email address, phone number, company name, company address, VAT number | To create and manage your Account |
| Business profile | Trade type, business size, number of employees, accounting software preference | To personalise your experience and configure integrations |
| Payment information | Bank account details, company registration number (for Stripe Connect onboarding). Card details are handled by Stripe and not stored by Cole. | To process payments and payouts |
| Customer data | Names, addresses, and contact details of your clients that you enter into Cole | To generate quotes and invoices on your behalf |
| Subcontractor profiles | Name, business name, trade type, UTR number, CIS registration number, insurance details, CSCS card details, trade certifications | To maintain compliance profiles within the subcontractor network |
| Support communications | Email correspondence, support ticket content | To resolve support queries |
2.2 Data generated by your use
| Category | Data collected | Why |
|---|---|---|
| Usage data | Features used, actions taken, time spent, pages visited within the Platform | To improve the Platform and identify issues |
| Device and technical data | IP address, device type, operating system, browser type, app version | Security, debugging, and compatibility |
| Location data | Approximate location derived from IP address. GPS location of photos taken on site (where device permissions allow) | To tag site photos with location; for fraud prevention |
| Log data | Server logs, error logs, API request logs | Security monitoring and debugging |
| Financial transaction data | Invoice amounts, payment dates, payment methods, Stripe transaction IDs | To process payments and reconcile accounts |
2.3 Data from third parties
- Stripe: Payment status, connected account status, verification results
- Xero / QuickBooks: Account connection status, sync confirmation data
- HMRC: CIS verification status where you request verification through Cole
3. Legal Bases for Processing
Under UK GDPR, we must have a lawful basis for processing personal data. Our legal bases are:
| Processing activity | Legal basis |
|---|---|
| Providing the Platform and its core features | Contract performance — necessary to fulfil our agreement with you |
| Processing payments and managing subscriptions | Contract performance |
| Maintaining the subcontractor compliance network | Legitimate interests (enabling trade businesses to manage compliance obligations) |
| Sending service communications, security alerts, and product updates | Contract performance / Legitimate interests |
| Improving the Platform through usage analysis | Legitimate interests |
| Fraud prevention and security monitoring | Legitimate interests / Legal obligation |
| Complying with legal and regulatory obligations (including tax records) | Legal obligation |
| Sending marketing communications about Cole | Consent (you can withdraw at any time) |
4. How We Use Your Data
We use your personal data to:
- create and manage your Account and subscription
- provide the features and services of the Platform
- process payments and manage payouts through Stripe Connect
- generate quotes, invoices, job sheets, and handover reports on your behalf
- send you service communications including receipts, payment confirmations, compliance alerts, and security notices
- provide customer support
- improve, develop, and maintain the Platform
- detect, prevent, and investigate fraud, security incidents, and misuse
- comply with legal and regulatory obligations
- send you marketing communications about Cole features and offers (where you have consented or where we have a legitimate interest in doing so)
We do not sell your personal data to any third party. We do not use your data for advertising to third parties. We do not use your Customer Data (your clients’ details, quote content, job information) for any purpose other than providing the Platform.
5. Who We Share Your Data With
We share personal data only where necessary to provide the Platform or where required by law. We do not sell data.
| Recipient | What we share | Why |
|---|---|---|
| Stripe | Account details, payment information, identity verification data | Payment processing and connected account management under Stripe Connect |
| Xero / QuickBooks | Invoice data, payment data | Accounting integration, with your explicit authorisation |
| Cloud infrastructure providers | All Platform data stored on our infrastructure | Hosting and data storage (UK data residency) |
| Analytics providers | Anonymised usage data | Platform improvement and performance monitoring |
| Legal and regulatory authorities | Data required by applicable law | Legal obligation (e.g. HMRC, ICO, law enforcement with lawful authority) |
| Professional advisers | Data relevant to a specific matter | Legal advice, auditing, and similar professional services, subject to confidentiality obligations |
All third-party processors are contractually required to handle personal data in accordance with UK GDPR and to implement appropriate security measures.
6. International Data Transfers
Cole stores all Customer Data on servers located within the United Kingdom. Some of our third-party service providers (including Stripe) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA) or equivalent standard contractual clauses approved by the ICO.
7. Data Retention
We retain personal data for as long as necessary to fulfil the purposes for which it was collected, including for legal, accounting, or reporting obligations.
| Data type | Retention period |
|---|---|
| Account and profile data | Duration of subscription + 90 days following Account closure |
| Financial transaction records | 7 years from the date of the transaction (HMRC requirement) |
| Invoice and quote data | 7 years (Companies Act and HMRC requirements) |
| Support communications | 3 years from resolution |
| Security and server logs | 12 months |
| Marketing preferences and consent records | Until withdrawn + 3 years |
| Subcontractor compliance documents | Duration of profile + 90 days following profile closure |
| Anonymised usage data | Indefinitely (cannot identify individuals) |
8. Your Rights Under UK GDPR
You have the following rights in relation to your personal data. To exercise any of these rights, contact us at privacy@usecole.co.uk. We will respond within 30 days.
- Right of access: You may request a copy of the personal data we hold about you.
- Right to rectification: You may request that we correct inaccurate or incomplete data.
- Right to erasure: You may request deletion of your personal data where there is no compelling reason for us to continue processing it. Note that legal retention obligations (such as HMRC requirements) may prevent immediate deletion of some data.
- Right to restrict processing: You may request that we limit how we use your data in certain circumstances.
- Right to data portability: You may request a copy of your personal data in a structured, machine-readable format.
- Right to object: You may object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Rights related to automated decision-making: Cole does not make any automated decisions that have a legal or similarly significant effect on you. AI features in Cole are assistive tools that support human decision-making.
- Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113 if you believe your data protection rights have been infringed.
9. Security
We implement technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, and destruction. These measures include:
- encryption of data in transit (TLS) and at rest
- access controls and role-based permissions
- regular security testing and vulnerability assessments
- staff training on data protection
- incident response procedures
- UK data residency for Customer Data
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR.
10. Children
The Platform is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@usecole.co.uk and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or prominent notice within the Platform. The updated policy will be effective from the date stated at the top. Continued use of the Platform after that date constitutes acceptance of the updated policy.