This policy explains what data TaskDrop collects, how we use it, who we share it with, and your rights under UK GDPR.
1. Who We Are
TaskDrop is a UK-based software service providing AI-powered invoicing and compliance tools for tradespeople. For the purposes of UK GDPR, TaskDrop (operated by Owen-Nathaniel Moore, sole trader, United Kingdom) is the data controller for personal data collected through this service.
TaskDrop is registered with the Information Commissioner's Office (ICO) under registration number ZC122710. You can verify this on the ICO public register.
For data protection queries, contact us at support@taskdrop.co.uk.
2. What Data We Collect
Your business data (provided during onboarding):
- Your name and business name
- Your WhatsApp phone number
- Your business address, email address, and phone number
- Your VAT number (if provided) and UTR number (if provided)
- Your bank account details — sort code and account number — stored securely and shown on your invoices so customers can pay you directly by bank transfer
- Your business logo (stored as an image file on our UK-based server)
- Trade certification numbers (Gas Safe, NICEIC, etc.) if you choose to add them
Your customers' data (submitted when generating documents):
- Customer names and addresses
- Customer email addresses (if provided)
- Job descriptions and work details
- Generated quotes, invoices, and job reports
Voice notes (if you choose to use them):
- Audio recordings you send to TaskDrop via WhatsApp describing a job. Voice notes are optional — you can type instead. The audio is transcribed to text by Groq (see Section 6a) and used to populate your invoice fields. The audio itself is not retained after transcription.
- You are responsible for ensuring you have the right to share your customers' data. If voice notes contain audio of other people, you are responsible for obtaining their consent.
Quote checker tool
- Our free quote-checking tool ("cowboy rate check") compares a price you enter against typical UK rates and shows you the result on screen.
- It does not ask for or collect your name, contact details, or any personal information. The job and price figures you enter are used only to calculate and display your result and are not stored against your identity.
- We do not pass your details to any tradesperson, and we do not sell or share data from this tool.
Social media lead enquiries (only if you connect a Facebook Page / Instagram account):
- If you connect your Facebook Page and/or Instagram account, TaskDrop receives enquiries sent to you via Facebook Lead Ads, Facebook Messenger, and Instagram direct messages.
- This includes the enquirer's name, any phone number or email address they provide, and the content of their message(s). For Messenger and Instagram enquiries, we store the recent message thread so we can identify and assemble a complete enquiry from messages sent across a conversation.
- This data originates from the member of the public who contacts you. It is forwarded to you in WhatsApp as a structured lead so you can respond. You are the data controller for how you use these enquiry details once received.
- You can disconnect your Facebook/Instagram connection at any time from your dashboard, which stops new enquiries being received.
HMRC MTD data (only if you connect your HMRC account):
- Your HMRC National Insurance number and MTD ID — obtained via HMRC OAuth, used solely to submit quarterly returns
- Your HMRC access and refresh tokens — stored encrypted and never exposed to any third party other than HMRC
- Quarterly income and expense figures submitted to HMRC
- Prior income declarations — any income you manually declare as earned before joining TaskDrop in a given quarter
- Submission records — a log of each quarterly submission including period dates, income figure, timestamp, and HMRC API response, retained as an audit trail
- Fraud prevention data transmitted to HMRC as required by their specification: device identifier, browser user agent, screen dimensions, timezone, and public IP address at the time of submission
GoCardless payment data (if you pay for MTD submissions or leads):
- When you pay the £80 MTD submission fee, a GoCardless Instant Bank Pay link is generated. You authorise the payment via your banking app. No Direct Debit mandate is stored. GoCardless stores and processes this payment data in accordance with their own privacy policy and FCA authorisation.
Technical data (collected automatically):
- IP address, browser/device information, pages visited, and request timestamps — collected by our web server for security monitoring and debugging. Not used for marketing or profiling.
3. How We Use Your Data
- Providing the service: Generating invoices, quotes, job reports, and reminders; processing TaskDrop Pay payments via GoCardless; submitting MTD returns to HMRC if you have connected your HMRC account
- Communications: Sending payment reminders to your customers; sending you service notifications, HMRC deadline reminders, and account updates via WhatsApp and email
- Billing: Collecting the £80/quarter MTD submission fee via GoCardless Instant Bank Pay
- Security and fraud prevention: Monitoring for suspicious activity, verifying your identity, transmitting fraud prevention headers to HMRC as required
- Improving the service: Analysing usage patterns (in aggregate, not individually) to improve features
We process your data on the legal basis of contract performance (to provide the service you signed up for) and legitimate interests (security monitoring, fraud prevention).
4. Who We Share Your Data With
We share data only with the following categories of third-party processors, all of whom are bound by appropriate data processing agreements:
- Supabase — database and authentication. Data stored in EU data centres.
- GoCardless — payment processing for MTD submission fees, via Instant Bank Pay. FCA-authorised. Data processed in accordance with GoCardless's privacy policy.
- OpenAI — AI text generation (invoice creation, reminder generation). Data transmitted under OpenAI's API terms with zero data retention for API calls.
- Groq — voice transcription. Audio transmitted for transcription and not retained.
- Resend — email delivery for document notifications and reminders.
- Meta (WhatsApp Business Cloud API) — WhatsApp message delivery. Messages are processed through Meta's Business API infrastructure.
- Cloudflare (Turnstile) — bot and abuse prevention on our login and sign-up forms. Processes your IP address and limited browser and interaction signals to distinguish genuine users from automated traffic. This is not used to track you across websites and sets no advertising cookies. See Cloudflare's privacy policy for details.
- Ionos — VPS hosting. Server located in the United Kingdom.
- HMRC — quarterly MTD ITSA return data is transmitted to HMRC's API if you have connected your HMRC account and approved a submission.
We do not sell your data. We do not share your data with advertisers or marketing companies.
5. International Data Transfers
Some of our processors operate outside the UK:
- OpenAI — United States. Data transferred under the UK International Data Transfer Agreement (IDTA) and OpenAI's API data processing addendum.
- Groq — United States. Data transferred under appropriate safeguards; audio is not retained after transcription.
- Cloudflare — operates a global network and may process the limited bot-prevention data above outside the UK, under appropriate safeguards. No document, invoice, or customer data is sent to Cloudflare.
- GoCardless — United Kingdom and EEA. Fully UK GDPR compliant.
6. How Long We Keep Your Data
- Account data: Retained for as long as your account is active. You can delete your account at any time from your dashboard or by emailing support@taskdrop.co.uk.
- Documents and logos: Retained while your account is active. You can delete individual documents from your dashboard at any time.
- MTD submission records: Retained for 7 years following submission in accordance with HMRC record-keeping requirements.
- Voice notes: Audio is transcribed and discarded immediately. The resulting text is retained as part of the document record.
- Social media lead messages: Messenger and Instagram message threads used to identify enquiries are retained for up to 30 days, then deleted. The resulting lead record (name, contact details, job summary) is retained while your account is active so you can act on it.
- Server logs: Retained for 30 days for security and debugging purposes, then deleted.
6a. How AI Is Used
TaskDrop uses two AI providers to process your data:
- OpenAI (GPT-4o): Used to understand your typed or transcribed job descriptions and generate invoice, quote, and reminder content, and — if you connect a Facebook Page or Instagram account — to read incoming Messenger/Instagram enquiries and identify genuine job leads. The relevant message text is sent to OpenAI's API. OpenAI's API terms include a zero data retention policy — data sent via the API is not used to train OpenAI models.
- Groq (Whisper large-v3): Used to transcribe voice notes you send via WhatsApp. Your audio file is sent to Groq's API for transcription and returned as text. The audio is not retained by Groq or TaskDrop after transcription.
AI-generated content (invoices, reminders, etc.) is produced automatically based on the information you provide. You should review all generated documents before sending them to customers.
7. Your Rights Under UK GDPR
You have the right to:
- Access: Request a copy of the personal data we hold about you
- Rectification: Correct inaccurate data — you can update most information directly in your dashboard
- Erasure: Request deletion of your data. We will delete your account and associated data within 30 days, subject to legal retention requirements (e.g. MTD submission records)
- Portability: Request your data in a machine-readable format via the Export function in your dashboard
- Objection: Object to processing based on legitimate interests
- Restriction: Request that we restrict processing of your data in certain circumstances
To exercise any of these rights, contact us at support@taskdrop.co.uk. We will respond within 30 days.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the ICO at ico.org.uk.
8. Cookies and Analytics
TaskDrop uses Google Analytics (via Google Tag Manager) to measure website traffic in aggregate. This uses cookies. No personally identifiable information is sent to Google Analytics. You can opt out using your browser's cookie settings or a browser extension such as uBlock Origin.
No advertising cookies are used. We do not serve third-party advertising.
Our login and sign-up forms use Cloudflare Turnstile to prevent automated abuse. Turnstile is designed to be privacy-preserving and does not use cookies to track you across websites; any token it uses is strictly for completing the security check on our forms.
9. Security
We take appropriate technical and organisational measures to protect your data, including:
- TLS encryption for all data in transit
- HMRC credentials stored encrypted in our database
- SSH key-only access to our server infrastructure (no password login)
- Supabase row-level security ensuring users can only access their own data
- OTP-based authentication — no passwords stored
- Annual penetration testing using OWASP ZAP
10. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes via WhatsApp or email at least 14 days before the changes take effect. The current version is always available at taskdrop.co.uk/privacy.
11. Contact
For any privacy-related queries, contact us at support@taskdrop.co.uk.
TaskDrop is operated by Owen-Nathaniel Moore, sole trader, United Kingdom. ICO registration: ZC122710.