This Privacy Policy explains how Verraa ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website and services. We are committed to safeguarding your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Please read this policy carefully. By using our platform you acknowledge that you have read and understood it.
1. Who We Are
Verraa is the data controller responsible for personal data collected through this website. If you have any questions about this policy or wish to exercise your rights, please contact us:
We are registered with the Information Commissioner's Office (ICO) as required under UK data protection law.
2. Personal Data We Collect
We collect personal data that you provide directly and data generated through your use of our platform.
2.1 Data You Provide
- Account information: name, email address, password (hashed), profile picture, and bio.
- Provider profile: business description, experience, certifications, service policies, response time, and availability.
- Service listings: service title, description, category, pricing, location, and images.
- Booking information: booking dates, notes, and payment details (processed by Stripe — we do not store full card numbers).
- Messages and quotes: content of conversations and custom quote requests exchanged on the platform.
- Support enquiries: name, email, subject, and message submitted through our contact form.
- Reviews: ratings and written reviews you submit for services.
2.2 Data Collected Automatically
- Usage data: pages visited, features used, and time spent on the platform.
- Technical data: IP address, browser type and version, device type, operating system, and referring URL.
- Cookies and similar technologies: session identifiers and preference cookies. See Section 9 for more detail.
3. How We Use Your Personal Data
We process your personal data for the following purposes and rely on the legal bases below:
- Contract performance (Article 6(1)(b) UK GDPR): to provide and manage your account, process bookings and payments, facilitate communication between customers and providers, and handle cancellations and refunds.
- Legitimate interests (Article 6(1)(f) UK GDPR): to improve and personalise our platform, prevent fraud, maintain platform security, generate anonymised analytics, and send service-related communications such as booking status updates.
- Legal obligation (Article 6(1)(c) UK GDPR): to comply with applicable laws including financial record-keeping, fraud prevention obligations, and requests from law enforcement or regulatory bodies.
- Consent (Article 6(1)(a) UK GDPR): to send marketing communications where you have opted in. You may withdraw consent at any time by unsubscribing or contacting us.
4. How We Share Your Data
We do not sell your personal data. We may share it in the following circumstances:
- Between users: when a booking is made, relevant details (name, booking date, service information) are shared between the customer and the service provider to fulfil the booking.
- Payment processor: Stripe Inc. processes payment transactions. Stripe acts as an independent data controller for payment data. Please review Stripe's Privacy Policy.
- Email service provider: Resend is used to send transactional emails (booking confirmations, status updates, support ticket notifications). Resend processes email addresses and message content on our behalf under a data processing agreement.
- Cloud infrastructure: our platform is hosted on Vercel and uses Turso (libSQL) for database storage. Both process data on our behalf under appropriate data processing agreements.
- Analytics: we use PostHog for product analytics. Data is processed pseudonymously.
- Legal requirements: we may disclose data where required by law, court order, or to protect the rights, property, or safety of Verraa, our users, or the public.
All third-party processors are required to handle your data in accordance with UK data protection law and only process data on our documented instructions.
5. International Data Transfers
Some of our service providers are based outside the UK. Where personal data is transferred to countries not deemed adequate by the UK Secretary of State, we ensure appropriate safeguards are in place — such as the UK International Data Transfer Agreement (IDTA) or equivalent Standard Contractual Clauses — to protect your data to UK GDPR standards.
6. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this policy:
- Account data: for the duration of your account, plus up to 2 years after deletion to comply with legal obligations.
- Booking and payment records: 7 years to comply with HMRC financial record-keeping requirements.
- Support tickets: 3 years from submission.
- Marketing preferences and consent records: until consent is withdrawn, plus 1 year thereafter.
- Server logs and technical data: up to 90 days.
When data is no longer required it is securely deleted or anonymised.
7. Your Rights Under UK GDPR
Under UK data protection law you have the following rights. To exercise any of them, contact us at [email protected]. We will respond within one calendar month as required by law.
- Right of access: to request a copy of the personal data we hold about you (Subject Access Request).
- Right to rectification: to request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): to request deletion of your data where there is no compelling reason for us to continue processing it.
- Right to restrict processing: to request that we limit how we use your data in certain circumstances.
- Right to data portability: to receive your data in a structured, machine-readable format where processing is based on consent or contract.
- Right to object: to object to processing based on legitimate interests or for direct marketing purposes.
- Rights related to automated decision-making: we do not make solely automated decisions that have a legal or similarly significant effect on you.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113 if you believe we have not handled your data lawfully.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or alteration. These include:
- Encryption of data in transit using TLS.
- Bcrypt hashing of passwords — we never store plain-text passwords.
- Access controls limiting who within our organisation can access personal data.
- Regular review of our security practices and third-party processor agreements.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, inform affected individuals without undue delay.
9. Cookies
We use cookies and similar technologies to operate our platform. These include:
- Strictly necessary cookies: required for authentication and session management. These cannot be disabled.
- Functional cookies: remember your preferences such as theme and language settings.
- Analytics cookies: help us understand how users interact with our platform (PostHog). These are set only with your consent where required by the PECR.
You can manage or withdraw cookie consent at any time via your browser settings. Disabling certain cookies may affect platform functionality.
10. Children's Privacy
Our platform is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with their data, please contact us immediately at [email protected] and we will take steps to delete it.
11. Third-Party Links
Our platform may contain links to third-party websites. This policy applies only to Verraa. We are not responsible for the privacy practices of external sites and encourage you to read their privacy policies.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through a notice on our platform. Continued use of our services after changes take effect constitutes acceptance of the revised policy.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
We take all privacy enquiries seriously and will do our best to resolve them promptly.