Privacy

Privacy policy

Last updated: 15 May 2026

Summary

Heyguv is a website builder for UK tradespeople. To run it, we have to collect some personal data — yours, and the data of the customers who fill out contact forms on your site. This policy explains what we collect, why, who else sees it, and what you can do about it.

The short version:

  • Your data and your customers' lead data are stored in the UK (Supabase, London region).
  • We never sell your data, and we never sell your customers' lead data to anyone.
  • We use a small number of third-party services (Stripe, Resend, Anthropic, PostHog, Vercel) to run the product — they're listed below.
  • You can request a copy of your data, ask us to delete it, or correct it, at any time. Email hello@heyguv.com.

Who we are

Heyguv is a product of Floorfindr Ltd, a company registered in England and Wales. Our registered office is Unit 3, 164-170 High Street, Crowthorne, RG45 7AT.

For data protection purposes, Floorfindr Ltd is the data controller for:

  • Your account data (you, the tradesperson signing up)
  • Marketing and product communications we send you

We act as a data processor on behalf of you (our customer) for:

  • Leads submitted through your Heyguv site by your potential customers
  • Any content you upload (testimonials, project updates, photos)

In other words: your customers' personal data belongs to your business. We just hold it for you and let you see it.

What we collect, and why

When you sign up as a Heyguv customer

  • Email address — so you can log in, and so we can send you account-related emails.
  • Business name, slug, contact details (your phone and email), trade type, service areas — to build and run your site.
  • Owner first name— used in your site's voice (e.g. lead acknowledgement emails sign off in your name).
  • Payment details— handled directly by Stripe. We don't see or store your card number; we only store Stripe's customer and subscription IDs so we can match your account to your subscription.

We use this data to provide the service you signed up for (legal basis: contract performance under UK GDPR Art. 6(1)(b)).

When someone submits a lead through your site

When a potential customer fills out the contact form on your Heyguv site, we collect:

  • Their name
  • Their email
  • Their phone number (if provided)
  • A description of the job they're enquiring about
  • Their postcode (if provided)
  • The time they submitted, and your business they submitted to
  • A raw copy of the form submission, retained for diagnostics

We collect this so you can respond to them. Legal basis: legitimate interest (Art. 6(1)(f)) — without it, we can't deliver the lead to you, which is the whole point of the form.

Their data is only visible to you (and the staff of your business, if multi-user is enabled in future). It's tenant-isolated at the database level — other Heyguv customers cannot see it.

When you use the dashboard

  • Session cookies — required for you to stay logged in. Essential, no consent needed.
  • Activity logs — we keep server-side logs of API requests for security, debugging, and abuse prevention. These include IP address, user agent, and what endpoint was called. Legal basis: legitimate interest.

Who we share data with

We use a small number of carefully chosen third-party services (“sub-processors”) to run Heyguv. Each is bound by a data processing agreement.

Supabase (Supabase Inc., US company, data hosted in eu-west-2 / London)
What: All your account data and lead data lives here. Authentication and database.
Why: Core infrastructure.

Stripe (Stripe Payments UK Ltd)
What: Your payment details, billing address.
Why:We only ever store Stripe's references; Stripe handles the card data directly, certified to PCI DSS Level 1.

Resend (Resend Inc., US)
What: Email addresses, names, and email content for transactional emails (welcome email, lead notifications, billing notifications).
Why:Reliable email delivery. Resend processes the data only for delivery and doesn't use it for anything else.

Anthropic (Anthropic PBC, US)

Heyguv uses Anthropic's commercial API for AI-assisted features. The data we send depends on the feature:

  • Lead reply drafting— when you click “Draft replies” on a lead, we send the lead's name and job description. We do NOT send their email, phone, or postcode.
  • Site content rewriting— when you click “Improve with AI”, we send the text being rewritten, your business name, trade, and primary location, along with any other copy you've already written in the same section.
  • Project update caption suggestions — when posting a project update, we send the photo itself together with your business name, trade, location, the project's context, and any earlier captions in that project.
  • Default site content generation — during onboarding, we send your business name, owner first name, trade, service areas, and any personalisation answers you've given in the wizard.
  • Process steps generation — when you click “Generate steps for my trade” in your dashboard, we send your business name, trade type, and location to suggest 4 process steps. You can edit or replace them after.

Anthropic doesn't train models on this data — we use their commercial API which is contractually excluded from training.

PostHog (PostHog Inc., EU-hosted instance)
What:Product analytics events (which pages were viewed, which buttons clicked). Today PostHog runs without setting any cookies or storing data in your browser, and respects browser “Do Not Track” signals.
Why: Helps us understand how the product is used so we can improve it.

Vercel (Vercel Inc., US)
What: Hosts the application. Sees IP addresses and request metadata in transit.
Why: Hosting and CDN.

We don't share data with anyone else, and we don't sell it.

International transfers

Some of our sub-processors are based in the US (Stripe, Resend, Anthropic, Vercel, Supabase). Where personal data is transferred outside the UK, we rely on either the UK's adequacy regulations or Standard Contractual Clauses as approved by the ICO. The actual customer and lead data sits in the UK (Supabase, eu-west-2).

How long we keep your data

  • Account data: kept while your account is active, and for 12 months after cancellation in case you return. After that, we delete it.
  • Lead data: kept as long as your account is active. You can delete individual leads in your dashboard at any time. After you cancel, lead data is retained for 30 days (so you can re-export if needed), then deleted.
  • Billing records: kept for 7 years to comply with UK accounting law.
  • Server logs: 30 days.

Your rights

Under UK GDPR you have the right to:

  • Get a copy of the personal data we hold about you (Subject Access Request).
  • Correct any inaccurate data.
  • Deleteyour data (“right to be forgotten”) — subject to legal retention obligations like the billing records above.
  • Object to our processing on legitimate-interest grounds.
  • Withdraw consent (e.g. unsubscribe from marketing).
  • Receive your data in a portable format (e.g. export your leads as CSV).

To exercise any of these rights, email hello@heyguv.com. We'll respond within one month.

If you're a lead (not a Heyguv customer) and you want your data removed from a tradesperson's site, you can either contact that tradesperson directly, or email us and we'll handle the request and pass it on.

If you're unhappy with how we handle your data, you can complain to the UK's Information Commissioner's Office (ICO) at ico.org.uk.

Cookies and tracking

We use cookies for three things:

  • Essential cookies — keep you logged in. Always on, required for the service to work.
  • Stripe cookies — Stripe sets cookies on the checkout page for fraud prevention. Required for payment to work.
  • Consent cookie — when you accept or decline the cookie banner, we store your choice in a first-party cookie (heyguv_consent) so we don't ask again. Expires after 12 months.

We use PostHog (hosted in the EU) for product analytics. PostHog only loads after you accept our cookie banner. If you decline, PostHog is never initialised and nothing about your session is sent to it. You can change your mind any time via the “Cookie settings” link in the footer.

No advertising cookies. No tracking pixels. No third-party marketing trackers.

Children

Heyguv is a B2B product for trade businesses. It's not intended for or directed at anyone under 18. If you become aware that a child has provided us with personal data, please email hello@heyguv.com and we'll delete it.

Marketing communications

We send you:

  • Transactional emails— receipts, lead notifications, password resets, important account changes. These are required for the service and you can't opt out while you have an active account.
  • Product updates— occasional updates about new features. You can opt out of these in your account settings or by clicking “unsubscribe” on any such email. We treat existing Heyguv customers as having consented under the PECR soft opt-in, but you can opt out at any time.

We don't currently send marketing emails, but we may in the future. If we do, it'll be limited to product-related updates and we'll honour any opt-out immediately.

Changes to this policy

If we make material changes to this policy, we'll email all active customers at least 14 days before they take effect. Smaller corrections (typos, clarifications) we'll just update inline with a new “last updated” date.

Contact

Questions about this policy, or about how we handle your data: hello@heyguv.com

By post: Data Protection, Floorfindr Ltd, Unit 3, 164-170 High Street, Crowthorne, RG45 7AT, United Kingdom.