Data Processing Terms

These Data Processing Terms apply whenever Trade Forge Network (“TFN”, “we”) processes personal data on behalf of a Client (“you”) as part of delivering our services. They form part of our Service Agreement with you and apply whether you are a Setup-only Client or a Maintenance Client.

Under UK GDPR, you are the Data Controller and TFN is the Data Processor. You decide what data is processed and why; TFN processes it on your instructions.

• "Personal Data" means information relating to your customers, leads, or business contacts – typically names, phone numbers, email addresses, postal addresses, job history, service records, and communication history.

• "Processing" means any action taken on Personal Data, including storing, organising, updating, retrieving, sending, or deleting it.

• "Data Subjects" means the people whose Personal Data is processed – your past, current, and prospective customers.

• "Services" means the Repeat Revenue System Setup, Repeat Revenue Maintenance, and any related business support services agreed between us.

TFN processes Personal Data only for the purpose of delivering the agreed Services. This may include:

• Importing customers into your tracker, adding new customers, and updating existing customer records.

• Calculating and maintaining follow-up dates for services.

• Preparing priority contact lists and monthly review reports.

• Preparing message templates and, where agreed, managing follow-up communications.

• Related administrative tasks needed to run your system.

The types of Personal Data typically processed are: identity data (names, business names), contact data (phone, email, address), service history (jobs completed, dates, service types), and communication data (notes, follow-up history). TFN will not process special category data (for example, health, racial or religious information) unless specifically agreed in writing.

Processing continues for the duration of the Service Agreement and for up to 30 days after termination, to allow for return or deletion of data.

• You confirm you have a lawful basis under UK GDPR to hold and process your customers' Personal Data, and to share it with TFN for the purposes set out above. For existing customer follow-up, this is typically legitimate interests based on an existing customer relationship.

• You confirm your privacy notice adequately covers how customer data is handled, including the use of third-party service providers such as TFN.

• You are responsible for handling data subject requests (for example, requests for access, deletion, or to stop being contacted) and complaints, with our reasonable assistance.

• You will tell TFN promptly if a customer asks to be removed from your system, or objects to contact, so the record can be updated or removed.

• We process Personal Data only on your documented instructions and solely for the purposes set out in these Terms.

• We take appropriate technical and organisational security measures, including: password-protected cloud storage (Google Workspace), access limited to authorised personnel on a need-to-know basis, secure communication channels, and confidentiality obligations on all personnel.

• We do not transfer Personal Data to any third party outside the agreed Service providers (for example, Google for Google Sheets hosting, GoCardless for billing) without your prior written consent.

• We provide reasonable assistance (at your cost where the effort is significant) to help you respond to data subject requests and meet your obligations under UK GDPR.

• We notify you as soon as possible, and in any event within 24 hours, of becoming aware of a personal data breach affecting your data. You remain responsible for notifying the ICO where required.

• We return or delete your Personal Data within 30 days of Service termination, as you instruct, unless required to retain it by law.

TFN uses the following sub-processors to deliver the Services:

• Google (Google Workspace / Google Sheets) – cloud storage and spreadsheet hosting.

• GoCardless – direct debit payment processing for Maintenance clients.

• Systeme.io – customer relationship management and email communications.

These providers operate under their own privacy policies and standard contractual terms. TFN does not engage any other sub-processors to handle Client data without prior written notice to you.

Some sub-processors may store or process data outside the UK. Where this occurs, appropriate safeguards are in place, including UK Addendum to EU Standard Contractual Clauses or equivalent adequacy mechanisms.

If an individual contacts TFN directly to exercise a data protection right (access, rectification, erasure, restriction, objection, portability), we will not respond on your behalf. We will pass the request to you promptly and assist you in responding.

TFN maintains the following measures appropriate to the risk:

• Technical: password-protected systems, two-factor authentication where available, encrypted transmission, restricted access, regular software updates.

• Organisational: access on a need-to-know basis, staff confidentiality obligations, clear data handling procedures, periodic review of security measures.

No security measure is 100% effective. TFN commits to measures appropriate to the risks and consistent with good practice for small business service providers.

On termination of the Services, or on your earlier written request, TFN will within 30 days either:

• Return all Personal Data to you (typically by transferring ownership of your Google Sheet), or

• Delete all Personal Data, confirming deletion in writing on request.

TFN will retain Personal Data beyond this period only where required to do so by law (for example, financial records for tax purposes), and only for as long as the legal obligation requires.

On reasonable written notice (at least 14 days), you may request information necessary to demonstrate TFN's compliance with these Terms. TFN will respond promptly and provide reasonable cooperation, at your cost where the effort is significant.

Each party is responsible for its own compliance with UK data protection law. TFN is not liable for breaches caused by your instructions, your failure to have a lawful basis, or the actions of data subjects themselves. Overall liability caps are set out in the Service Agreement.

TFN may update these Terms from time to time. The version in force at the time of processing applies. Material changes will be notified to active Clients by email. The current version is always published at tradeforgenet.com/dpa with the last updated date shown at the top.

These Terms are governed by the laws of England and Wales and are subject to the exclusive jurisdiction of the courts of England and Wales.