Last updated: 25 May 2026 · Version 1.0

Privacy Policy

Heatflow is operated by Rapid Heat Response Ltd, a company registered in England and Wales.

1. Who we are

Heatflow is a mobile application for UK Gas Safe registered engineers, operated by Rapid Heat Response Ltd, a company registered in England and Wales. Data controller contact: privacy@heatflow.app

We are the data controller for engineer account data. Engineers are data controllers in their own right for the customer data they enter into the app.

2. What data we collect and why

2.1 Account and profile data

Name, email, password (hashed), Gas Safe registration number, company name, phone number, and ACS certificate expiry date — collected to create your account, populate certificates, and send renewal reminders.

2.2 Job and certificate data

Job records, CP12/CP6 certificate data, job photos, and unsafe situation records — collected to run the workflow engine and generate legally required Gas Safety Records.

2.3 Customer data entered by you

When you enter customer names, addresses, and contact details, you are doing so as a data controller in your own right. We store this data on your behalf and do not use it for any purpose other than providing the service to you.

2.4 Billing data

We use Stripe to process payments. We do not store card numbers. We store your Stripe customer ID, subscription status, and subscription period dates.

2.5 Data we do NOT collect

Location data, contacts from your phone, camera or microphone access beyond what you explicitly initiate, or advertising identifiers.

3. How long we keep your data

Account, job, certificate, and customer data is kept until you delete your account. Billing records are kept for 7 years (legal requirement). Deleted account data is purged within 30 days of your deletion request.

4. Who we share your data with

We do not sell your data. We share it only with the providers needed to run Heatflow:

• Supabase — Database and authentication (EU, Frankfurt)
• Stripe — Payment processing (USA, with SCCs)
• Resend — Transactional email (USA, with SCCs)
• Anthropic — AI fault diagnosis (USA, with SCCs)
• Expo — Push notifications (USA, with SCCs)
• Cloudflare — Photo storage (EU)

Where providers are based outside the UK/EEA, transfers are protected by Standard Contractual Clauses (SCCs) approved by the ICO.

5. Your rights under UK GDPR

• Right of access — request a copy of all data we hold about you
• Right to portability — download your data (Settings → Download my data)
• Right to erasure — delete your account and all data (Settings → Delete my account)
• Right to rectification — correct inaccurate data via the app
• Right to restrict processing — ask us to pause processing in certain circumstances
• Right to object — object to processing based on legitimate interests

To exercise any right not available in the app, email privacy@heatflow.app. We will respond within 30 days.

6. Security

• All data in transit encrypted with TLS 1.2+
• All data at rest encrypted (AES-256)
• Row Level Security — engineers can only access their own data
• Passwords stored as salted hashes — never in plain text

7. Cookies

The Heatflow mobile app does not use cookies. This website uses only technically necessary session cookies. We do not use advertising or tracking cookies.

8. Changes to this policy

We will notify you of material changes via in-app notification and by updating the "last updated" date above.

9. Complaints

If you are unhappy with how we handle your data, you have the right to complain to the UK Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113. We would appreciate the chance to help first — email privacy@heatflow.app.