Privacy Policy

Last updated: October 10, 2025

1. Introduction

This Privacy Policy explains how Penda CRM ("we", "our", or "us") collects, uses, and protects your personal information when you use our service. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, phone number, work address
  • Company Information: Company name, address, contact details
  • Job Information: Client details, job addresses, scheduling information, custom form data
  • Usage Data: Information about how you use our service, including mileage calculations and job tracking

2.2 Automatically Collected Information

  • Log Data: IP address, browser type, device information, access times
  • Location Data: Job addresses and routing information for mileage calculations
  • Cookies: Essential cookies for authentication and session management

3. How We Use Your Information

We use your information to:

  • Provide and maintain our CRM service
  • Manage user accounts and authentication
  • Process and track jobs and schedules
  • Calculate mileage and generate reports
  • Communicate with you about service updates and support
  • Improve and optimize our service
  • Comply with legal obligations

4. Legal Basis for Processing (UK GDPR)

We process your personal data under the following lawful bases:

  • Contract Performance: To provide the CRM service you've subscribed to
  • Legitimate Interests: To improve our service and prevent fraud
  • Legal Obligation: To comply with UK laws and regulations
  • Consent: Where you have provided explicit consent for specific purposes

5. Data Sharing and Third Parties

We share your data only with trusted service providers:

  • Supabase: Database and authentication hosting (EU region)
  • Google Cloud: OAuth authentication and Maps API for mileage calculations
  • Vercel: Application hosting and deployment

We do not sell, rent, or share your personal information with third parties for their marketing purposes. All third-party providers are contractually obligated to protect your data and comply with UK GDPR.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you services. After account termination, we retain data for 90 days for backup purposes, then permanently delete it unless we are legally required to retain it longer. Job and financial records may be retained for up to 7 years to comply with UK tax and accounting regulations.

7. Data Security

We implement industry-standard security measures including encryption in transit (TLS/SSL), encryption at rest, row-level security policies, regular security audits, and secure authentication protocols. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

8. Your Rights (UK GDPR)

Under UK GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Limit how we use your data
  • Portability: Receive your data in a structured, machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Where processing is based on consent

To exercise any of these rights, please contact us at the email address below.

9. International Data Transfers

Your data is primarily stored in EU/UK data centers. Where data is transferred outside the UK/EU, we ensure adequate safeguards are in place through standard contractual clauses or other approved mechanisms under UK GDPR.

10. Children's Privacy

Our service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

11. Cookies and Tracking

We use essential cookies for authentication and session management. These are necessary for the service to function and cannot be disabled. We do not use advertising or analytics cookies without your explicit consent.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a prominent notice on our service. The "Last updated" date at the top indicates when the policy was last revised.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: privacy@penda.work

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection authority, at ico.org.uk.

This Privacy Policy is compliant with UK GDPR and the Data Protection Act 2018. If you are based outside the UK, additional protections may apply under your local laws.