OnPoint Business is a UK trade-business management platform. This summary is here to be useful, not legally binding — the rest of the policy is what governs.
We don't sell your data
We never sell, rent or trade personal data — yours or your customers'.
Card details never touch us
Stripe handles all card data for billing and customer payments. We don't store card numbers.
Bank access is read-only
TrueLayer connections only let us see incoming credits to match invoices. We can't move money.
You stay in control
Disconnect integrations, export your data, or delete your account at any time.
“OnPoint Business”, “we”, “us” or “our” refers to the operator of the OnPoint Business platform at onpointbusiness.co.uk, our mobile apps, customer portal and APIs (together, the “Service”).
We're based in London, United Kingdom. For data protection matters you can reach our privacy team at privacy@onpointbusiness.co.uk.
Data protection law distinguishes between two roles. We act in different roles depending on whose data is involved:
We are the controller
For data about you and your team as users of OnPoint — the account you create, your contact details, billing information, the way you use the product, and the support you receive from us.
We are a processor
For data your business inputs about your customers, jobs and sites. You decide what to collect and why; we host and process it on your instructions, under our Terms (which include data-processing terms).
Account & identity
- Name, email, phone number
- Password (stored as a salted bcrypt hash — we can't see it)
- Organisation name, role, permissions, team membership
- Profile photo (optional)
Business records you create
- Contacts, sites, jobs, appointments, quotes, invoices, payment plans
- Certificates (e.g. Gas Safe, electrical, hot-water)
- Photos, files and PDFs you attach
- Activity timeline events (who did what, when)
Billing data
- Subscription plan, seats, invoices issued by us
- Card details are processed directly by Stripe — we receive only a token, the last 4 digits and the expiry
- Tax / VAT information you provide
Connected-service data (only if you opt in)
- TrueLayer: bank account name and provider, plus incoming-credit transactions (date, amount, description) — read-only, used solely to reconcile invoices
- Stripe Connect: when your customers pay you, Stripe processes their card data on your behalf and shares status with us so we can mark invoices paid
- Xero / QuickBooks: contacts, invoices, payments and tax codes synced between OnPoint and your chosen accounting platform
- Google Ads: advertising identifiers and account access tokens to attribute leads and upload offline conversions
Communications
- Emails sent through the platform (delivery metadata via Resend)
- SMS messages you send to customers (delivery metadata via Twilio)
- Push-notification tokens (FCM for Android/web, APNS for iOS)
- Live-chat conversations on our marketing site (name, email, message, page URL, hashed IP)
- Feedback you submit through the in-app feedback widget
Location
- If you opt in, your engineers' live GPS location for in-app tracking and customer-portal arrival ETAs
- Approximate location derived from IP address for fraud prevention and analytics
- Job and site addresses you enter manually
Device, technical & usage
- IP address (hashed where possible), user-agent, device type, OS, browser, screen size
- Pages visited, features used, action timings, error reports (via Sentry and Vercel)
- Service-worker / PWA cache state for offline use
Marketing-site visitors
- Aggregated, cookieless analytics via Plausible
- If you consent or visit a marketing landing page: Google Ads conversion tags
- Form submissions (book a demo, contact, newsletter)
We use personal data for the following purposes:
Provide the Service
Authenticate users, run the dashboard, mobile apps and customer portal, store the records you create.
Process payments
Collect subscription fees through Stripe; help you collect payments from your customers via Stripe Connect.
Reconcile bank payments
Match incoming credits from TrueLayer-linked accounts to your invoices.
Sync your accounting
Push and pull contacts, invoices and payments to/from Xero or QuickBooks if you choose to connect them.
Communicate with you and your customers
Send transactional email and SMS, push notifications, automatic reminders and overdue chasers.
Provide AI helpers
Generate suggestions for invoice descriptions, parts, costs and similar drafting tasks (see §08).
Live engineer tracking
Show GPS location to internal users and (if you enable it) to the customer portal.
Keep things secure
Detect abuse, rate-limit, log security events, prevent fraud, investigate incidents.
Improve the product
Aggregate usage analytics, error reports and crash data to fix bugs and prioritise features.
Comply with the law
Maintain accounting and tax records, respond to lawful requests from regulators or courts.
Marketing (with consent or as a customer)
Send product news, run ads on Google and Meta, measure their performance.
Under the UK GDPR we need a lawful basis for each use. Ours are:
- Contract (Art. 6(1)(b)) — providing the Service to you, processing your subscription, supporting your team.
- Legitimate interests (Art. 6(1)(f))— keeping the Service secure and reliable, preventing fraud and abuse, improving the product, and contacting existing customers about features they're likely to care about. We've weighed these against your interests; you can object at any time.
- Consent (Art. 6(1)(a)) — non-essential marketing cookies, push notifications, location access, sending marketing emails to non-customers. You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)) — tax and accounting record-keeping, responding to lawful requests.
Most integrations are off by default. They only run after you explicitly authorise them in Preferences, and you can disconnect them at any time.
Bank linking via TrueLayer
Provided by TrueLayer Limited, an FCA-authorised Open Banking provider. You authenticate with your bank through TrueLayer's secure flow — your bank credentials are never shared with us. We receive read-only access to incoming credits (date, amount, description) to match payments to invoices. We cannot initiate payments or move funds. Disconnect any time from Preferences → Bank account.
Card payments via Stripe
Stripe Payments UK Limited handles all card data — both for your subscription and for your customers paying you via Stripe Connect. We never store card numbers, CVCs or full PANs. Stripe's privacy policy applies to its processing.
Accounting sync (Xero, QuickBooks)
If you connect Xero or QuickBooks, we use OAuth to read and write contacts, invoices, payments and tax-code mappings. We only sync the data needed to keep both systems in step. Disconnect any time from Preferences → Integrations.
Google Ads measurement
If you connect Google Ads, we read campaign / click identifiers and upload offline conversions for leads that came from your campaigns. We never use one customer's Ads data for another. Disconnect any time from Preferences → Ads & Tracking.
Maps & location (Mapbox, Google Maps)
Address autocomplete and map tiles are served by Google Maps and Mapbox. When you view a map, your IP address and a request for the visible tiles is sent to those providers under their own terms.
SMS & email delivery (Twilio, Resend)
SMS reminders, invoices and notifications are dispatched by Twilio. Transactional and notification email is sent via Resend. Both receive only the message content and the recipient details needed to deliver.
Push notifications (FCM, APNS)
Push tokens are issued by Apple (APNS) and Google (FCM) and are needed to deliver alerts to your device. We store the token and minimal device metadata against your account.
Some features use large language models — for example, drafting invoice descriptions, suggesting parts and costs, or summarising notes. Today these are powered by Google Generative AI (Gemini) and OpenAI.
- The text you submit to an AI feature is sent to the relevant provider over an encrypted connection to generate the response.
- We have contractual terms with these providers that prohibit using your prompts or outputs to train their public models.
- AI outputs are best-effort drafts. They can be wrong. You are responsible for reviewing anything an AI feature suggests before sending it to a customer or relying on it.
- Don't paste sensitive personal data (e.g. full payment details, government IDs, special-category data) into AI prompts. We'll add filtering over time but the safer path is not to put it in.
We use the following sub-processors to run the Service. We've picked providers we'd use ourselves, with appropriate security and (where relevant) UK-GDPR-compliant transfer safeguards.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, file storage | EU / UK |
| Vercel | Application hosting, edge network, analytics | EU / US |
| Stripe | Subscription billing and Stripe Connect customer payments | UK / EU / US |
| TrueLayer | Bank account linking (read-only) for payment matching | UK / EU |
| Xero | Accounting sync (only if you connect Xero) | UK / EU |
| Intuit (QuickBooks Online) | Accounting sync (only if you connect QuickBooks) | US |
| Resend | Transactional email (welcome, reminders, notifications) | EU / US |
| Twilio | SMS sending (appointments, reminders, invoices) | EU / US |
| Firebase Cloud Messaging (Google) | Android & web push notifications | US |
| Apple Push Notification Service | iOS push notifications | US |
| Sentry | Error monitoring and performance tracing | EU / US |
| Mapbox | Maps and routing for live engineer tracking | US |
| Google Maps Platform | Address autocomplete and map display | US |
| Google Generative AI (Gemini) | AI helpers for parts, costs and drafting | US |
| OpenAI | AI helpers (e.g. invoice description rewrites) | US |
| Google Ads | Marketing-page conversion measurement | US |
| Plausible Analytics | Privacy-friendly marketing-page analytics | EU |
| Capgo / Capacitor | Native mobile app delivery (iOS / Android) | EU |
We may add or change sub-processors as the product evolves. For material changes that affect your data, we'll update this list and (where required) notify you.
Your data is primarily stored in the UK and EU. Some of our sub-processors operate in the United States or globally. Where personal data is transferred outside the UK, we rely on:
- UK adequacy regulations (where the destination is recognised as providing adequate protection),
- the UK's International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum, and
- additional safeguards where appropriate (encryption in transit and at rest, access controls, contractual restrictions on use).
- Active accounts — for as long as your account is open. You can delete records at any time.
- Closed accounts — we keep your data for up to 90 days after closure to allow recovery and export, then delete or anonymise it, except where we're required to keep it longer.
- Invoices and tax records — kept for at least 6 years to meet HMRC requirements.
- Backups — overwritten on a rolling cycle (typically within 35 days).
- Security logs & error reports — generally retained for 30–90 days.
- Marketing lists — until you unsubscribe, plus a short suppression record so we don't accidentally re-add you.
- Data is encrypted in transit (TLS 1.2+) and at rest (AES-256) on managed infrastructure.
- Passwords are hashed with bcrypt; we don't see them.
- Database access uses row-level security so each organisation only sees its own records.
- Card data is handled by Stripe (PCI DSS Level 1). Bank access goes through TrueLayer (FCA-authorised). We don't store card numbers or bank credentials.
- We follow least-privilege internal access, log administrative actions, and review access regularly.
- If we ever discover a breach affecting your data, we'll notify the ICO within 72 hours where required and contact you without undue delay.
Under the UK GDPR you have the right to:
- Access a copy of the personal data we hold about you.
- Rectify data that's wrong or out of date.
- Erase data where it's no longer needed and there's no legal reason to keep it.
- Restrict or object to certain processing — including direct marketing, which you can opt out of at any time.
- Port your data — receive it in a structured, machine-readable format.
- Withdraw consent where processing relies on it (this won't affect anything done before you withdrew).
- Complain to the Information Commissioner's Office — though we'd appreciate the chance to put things right first.
To exercise any of these, email privacy@onpointbusiness.co.uk. We'll respond within one month and may ask for proof of identity.
OnPoint Business is built for businesses and is not directed at people under 18. We don't knowingly collect personal data from children. If you believe a child has provided us with personal data, please email privacy@onpointbusiness.co.ukand we'll delete it.
We'll update this policy as the product evolves. When changes are material — for example, a new sub-processor that handles personal data, or a new use of data — we'll notify you by email or through the app before they take effect. The “last updated” date at the top always reflects the current version.
For anything related to your data, email privacy@onpointbusiness.co.uk or our general team at support@onpointbusiness.co.uk.
You also have the right to complain to the UK's Information Commissioner's Office (ICO) — Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, helpline 0303 123 1113, or ico.org.uk/make-a-complaint .
Got a question we haven't answered?
Real humans, usually back to you the same working day.