RoofersBook

Privacy policy

Last updated 2026-04-11

A plain-English version of what we collect, why, who we share it with, and how you control it. If anything here is unclear, email privacy@roofersbook.com and I'll explain it properly.

1. Who we are (the data controller)

RoofersBook is a trading name used by Giuseppe, a sole trader in the United Kingdom. The data controller for this site is Giuseppe personally — there is no separate limited company or corporate entity.

Giuseppe is registered with the Information Commissioner's Office under the UK data protection fee regime as the data controller responsible for this site.

If you need to contact the data controller in writing by post, email the privacy address above and a correspondence address will be supplied.

2. What data we collect

We only collect what we need. In practice that is:

  • Quote request data. When you submit the quote form: your name, email, phone (optional), best time to call (optional), full postcode, job details, property information, and any photos you choose to upload. The form also records which page on the site you came from, and your device's user agent and a salted hash of your IP address for anti-spam.
  • Listing claim data. When a roofer claims a listing: business name, contact details, insurance and trade body evidence if provided, director information where the claim is verified against Companies House.
  • Correspondence. Any emails you send us and our replies. Stored in our email system for as long as the matter is live plus the retention period below.
  • Server and analytics data. Standard web server logs (timestamps, pages visited, referrer, truncated IP, user agent) and, if we are using analytics at the date you read this, anonymised usage data (pages viewed, approximate region, device type). We do not use cross-site advertising cookies.

We do not collect special-category data under Article 9 UK GDPR (health, biometric, political, religious, sexual orientation). We do not want it. If you accidentally include it in a quote description we will redact it on receipt.

3. Why we use it (lawful bases under Article 6 UK GDPR)

PurposeData usedLawful basis
Passing your quote request to suitable roofersQuote request dataContract (Art 6(1)(b)) — it is the service you asked us to perform
Emailing you a confirmation and a reference numberName, emailContract (Art 6(1)(b))
Running the directory and editorial siteServer logs, correspondenceLegitimate interests (Art 6(1)(f)) — running our own website
Anti-spam and abuse preventionSalted IP hash, user agent, honeypot dataLegitimate interests (Art 6(1)(f)) — site security
Verifying a listing claim against Companies HouseBusiness name, director name, claim form dataLegitimate interests (Art 6(1)(f)) — directory accuracy
Responding to your correspondenceEmail content, any identifiers you giveLegitimate interests (Art 6(1)(f))
Complying with a legal obligationAnything relevant to the specific obligationLegal obligation (Art 6(1)(c))

Where we rely on legitimate interests we balance those interests against your rights and freedoms. You can object to any legitimate-interests processing at any time by emailing the privacy address.

4. Who we share your data with

We share personal data with the following specific categories of recipient. No one else.

  • Roofers you ask us to pass the brief to. When you submit a quote request, the information becomes the subject of an introduction to a small number of suitable local roofers — typically up to three. They receive your name, contact details, and job brief so they can get in touch. Each roofer is an independent data controller of the data they receive. We are not responsible for their subsequent processing, but we do only introduce you to roofers who accept our lead terms, which require UK GDPR compliance.
  • Our processors. Third-party services that run parts of our infrastructure on our behalf. They are contractually prohibited from using your data for their own purposes. The current list is below.
  • Legal or safeguarding recipients. If we are legally required to share data (for example on receipt of a court order, or to report a suspected crime), we will. We will tell you unless we are legally prevented from doing so.

Current processors (sub-processors)

  • Vercel Inc. — hosting and build platform. US company with UK/EEA data residency options. Role: processor for website traffic and serverless function execution.
  • Resend Inc. — transactional email delivery for quote confirmations and notifications. US company. Role: processor.
  • Supabase Inc. — (planned) database and storage for roofer listings and lead records. US company with EU region selectable. Role: processor.
  • Stripe Payments UK Ltd — (planned) payment processing for any roofer subscriptions or lead fees. UK company. Role: joint controller for payment data; processor for metadata we pass.

If we add or change a processor we will update this list and the "last updated" date above. Material changes that affect your rights will be highlighted on the page.

5. International data transfers

Several of the processors above are US-headquartered. Where personal data is transferred outside the UK, we rely on one of the following transfer mechanisms:

  • The UK Extension to the EU-US Data Privacy Framework, where the recipient is certified under it;
  • The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, where the recipient is not DPF-certified;
  • Regions and data residency controls offered by the processor (for example, hosting in an EU or UK region) where available.

If you want to see the specific mechanism in place for a specific processor, email the privacy address and I will send it.

6. Retention periods

  • Quote request records — 24 months from the date of submission, then deleted or fully anonymised. Shortened on request under your right to erasure (see below).
  • Correspondence — up to 3 years, to handle follow-up questions and complaints.
  • Server and security logs — up to 12 months.
  • Listing claim records — while the listing is active plus 3 years.
  • Payment records — 6 years plus the current financial year, as required by UK tax and accounting law.
  • Anti-abuse suppression lists — indefinitely, because the purpose is to stop repeated abuse by the same party.

7. Your rights

Under the UK GDPR and the Data Protection Act 2018 you have the following rights:

  • Access — a copy of the personal data we hold about you.
  • Rectification — correction of inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — deletion where the data is no longer necessary, consent is withdrawn, or the processing was unlawful.
  • Restriction — pause processing while a dispute is resolved.
  • Portability — receive your data in a portable format and transmit it to another controller.
  • Object — object to processing based on legitimate interests, including to stop marketing communications.
  • Withdraw consent at any time where consent is the lawful basis.
  • Not to be subject to solely automated decision-making (we do not do this).

To exercise any of these, email privacy@roofersbook.com. We will respond within one calendar month. The service is free. We may ask for enough information to confirm your identity so we don't hand over someone else's data to the wrong person.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator. We'd prefer you come to us first so we have a chance to fix it, but your right to complain to the ICO is absolute and is not affected by contacting us first.

8. Cookies and similar technologies

We use a minimal number of cookies. Specifically:

  • Strictly necessary cookies — for session management, theme preference (light/dark), and CSRF protection. These are set without consent because they are necessary to provide the service you asked for (PECR Reg 6(4)).
  • Analytics cookies — if and when analytics is enabled on the site, we will use a privacy-respecting analytics provider and set analytics cookies only after consent, with a clear opt-in/opt-out control. As at the date above, no analytics cookies are in use.

Before any non-essential cookies are deployed, we will implement a consent control that allows you to accept or reject them before they are placed on your device, in compliance with PECR Regulation 6(1). No non-essential cookies will be set without that control being in place.

We do not use advertising cookies, tracking pixels, or third-party retargeting.

9. Children

This site is not aimed at children under 16 and we do not knowingly collect data from them. If you believe a child has submitted information to us, email the privacy address and we will delete it.

10. Security

We use HTTPS on every page, we store credentials and secrets out of source control, and we limit access to personal data to the people who need it to do the work. Perfect security does not exist. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where the risk is high, notify affected individuals directly.

11. Marketing communications and PECR

We do not run a consumer marketing list at the date above. If that changes, we will ask for explicit opt-in consent in compliance with the Privacy and Electronic Communications Regulations 2003 (PECR), and every marketing email will carry a one-click unsubscribe.

We may contact UK limited-company roofers about their listing under the legitimate interests provisions in PECR applicable to corporate subscribers. Any such outreach is honoured if you ask us to stop, and we maintain a suppression list of opt-outs.

12. Changes to this policy

We will update this page whenever we change our processors, retention periods, or the purposes we use your data for. The "last updated" date at the top changes with every edit. Material changes will be highlighted at the top of the page for at least 30 days after the change.

13. Contact and complaints