Privacy Policy
Last updated: 13 May 2026 · Version 1.0
1. Who is the controller of your data?
Open Source AI Ltd is the data controller for personal data collected through Fix-A(I)LL.
- Registered address: 228 Borough Road, Middlesbrough, North Yorkshire, TS1 2EQ
- ICO registration number: ZC102296
- Data Protection Officer: Mr Ranjith Dinakaran
- DPO contact: [email protected]
- General contact: [email protected]
2. What personal data we collect
From customers:
- Identity data: full name, email address, phone number (optional)
- Address data: postcode, address lines, city — for the property where work is needed
- Job data: description of the problem, trade hint, photos of the issue
- Payment data: we do not store full card numbers. Stripe handles the transaction and gives us a transaction ID and amount
- Technical data: IP address (for anti-fraud), browser type, device type
- Communication data: messages you exchange with tradespeople via the Platform
- Membership data (if applicable): membership status, registered addresses
From tradespeople:
- Identity and contact data: name, business name, email, phone, business postcode and area
- Verification documents: photo ID, insurance certificates, trade qualification cards or numbers, proof of address
- Payment data: payment method ID and Stripe customer reference (we don't store card numbers themselves)
- Performance data: jobs accepted, jobs completed, customer ratings, reviews
3. Why we collect it (legal basis)
| Purpose | Legal basis |
|---|---|
| Providing the AI estimate service | Contract (Article 6(1)(b)) |
| Routing your job to relevant tradespeople | Contract |
| Sending transactional emails (estimate ready, etc.) | Contract |
| Verifying tradesperson identity and credentials | Legitimate interest / legal obligation |
| Fraud detection and prevention | Legitimate interest (Article 6(1)(f)) |
| Financial records (Stripe transactions) | Legal obligation (Companies Act, HMRC) |
| Improving our AI estimates | Legitimate interest (with data minimisation) |
| Marketing emails (only with consent) | Consent (Article 6(1)(a)) |
4. Who we share data with
We share data with the following third parties, only as needed:
- Tradespeople: once you agree to publish your job, the trade required, postcode area, AI estimate, photos, and problem description are visible on the jobs board. Your full name, full address, email, and phone are only shared with the tradesperson who accepts your job
- Anthropic (Claude AI): photos and the problem description are sent to Anthropic's API to generate the estimate. Anthropic does not retain or train on this data per their commercial terms
- Stripe: payment information is handled directly by Stripe under their own privacy policy. We receive only a transaction ID and amount
- Resend: we use Resend to send transactional emails. They receive your email address and the email contents
- Cloudflare: provides our hosting, tunnel, and security services. They may process technical data (IP, browser) for security purposes
- Hosting infrastructure: our servers are operated by Open Source AI Ltd in the United Kingdom
- Law enforcement or regulators: only where legally required (e.g. court order, valid request)
We do not sell your personal data. We do not share it for marketing purposes with third parties.
5. International transfers
Most of our data processing happens in the UK or EU. Anthropic's API and Stripe operate from the US — these transfers are protected by Standard Contractual Clauses and (in Stripe's case) UK Adequacy Regulations.
6. How long we keep your data
- Active accounts: for as long as you have an account
- Closed jobs and submissions: 2 years from completion, after which photos and free-text problem descriptions are deleted; anonymised aggregate data may be retained for AI improvement
- Financial records (transactions, invoices, accounts): 6 years (legal requirement)
- Tradesperson verification documents: for as long as the account is active, then 2 years for audit purposes
- Messages: 2 years from the last message in a thread
- Fraud flags / suspected misuse records: up to 6 years, for fraud prevention purposes
7. Your rights
Under UK GDPR you have the right to:
- Access your personal data — request a copy of what we hold
- Rectify inaccurate data
- Erase your data ("right to be forgotten"), subject to legal exceptions (e.g. we may need to retain financial records)
- Restrict processing in certain circumstances
- Object to processing based on legitimate interest
- Data portability — receive your data in a structured format
- Withdraw consent at any time for processing based on consent (e.g. marketing emails)
- Complain to the ICO if you believe we have mishandled your data — see ico.org.uk
To exercise any of these rights, email [email protected]. We will respond within 30 days (extendable by 60 days for complex requests, as permitted by law).
8. Security
We take security seriously. Measures we use include:
- HTTPS encryption for all traffic via Cloudflare
- Bcrypt hashing of all passwords
- Signed session cookies (HttpOnly, Secure flags)
- Restricted API keys with least-privilege access
- Regular software updates and security patches
- No storage of payment card numbers (handled by Stripe)
If we suffer a personal data breach that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and inform affected individuals where required.
9. Cookies
See our Cookies Policy for details.
10. Children
Fix-A(I)LL is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have, contact us and we will delete it.
11. Changes to this policy
We may update this policy from time to time. The "Last updated" date will reflect the latest revision. Material changes will be notified by email.
Questions? Email [email protected] or write to: Data Protection Officer, Open Source AI Ltd, 228 Borough Road, Middlesbrough, TS1 2EQ.