Privacy Policy
1. Introduction
HQ Parts UK Ltd ("Company", "we", "us", "our"), trading as Vectro, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform at www.vectro.uk (the "Service").
We are the data controller. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and PECR.
Data Controller: HQ Parts UK Ltd
Company Number: 14295616
Address: 37 Wheatcrofts, Barnsley, South Yorkshire, S70 6BZ
ICO Registration: ZB604497
Contact: support@vectro.uk
2. Data We Collect
| Category | Data | Purpose |
|---|---|---|
| Account (you, the subscriber) | Name, email, company name, password (hashed) | Authentication, communication |
| Authorised Users (your staff) | Names, email addresses, role (admin, office, sales, installer), working-day pattern, recurring schedule blocks, login activity | Allowing your team members to use the Service, enforcing role-based access, displaying availability in the Day Planner |
| Staff absences | Holiday, sick, personal, training and similar absence records for your Authorised Users (start/end dates, optional notes, approval status). Sick-leave entries relate to health and we treat them with additional care. | Allowance tracking and team availability scheduling |
| Customer data | Your customers' names, addresses, phones, emails, communication preferences (e.g. opt-in for reminders, invoices, marketing) | Providing the Service (CRM, quoting) |
| Quotes & orders | Product selections, dimensions, prices, notes for clients, multiple quote variants per lead, payment status records (e.g. method, amount, date — Vectro does not process the payment itself) | Quoting, order management |
| File attachments | Images, PDFs uploaded to leads and quotes (technical drawings, T&C documents), and files attached to manufacturer production orders | Supporting quotes and orders |
| Calendar data | Appointment dates, times and customer names for measurements, installations and reclamations; internal events (recurring or one-off team meetings, training, office days) involving your Authorised Users. Synced to Google Calendar if a user connects their account. | Appointment scheduling, internal team coordination, reminders |
| Activity log | A per-lead history of significant actions (status changes, appointment changes, who performed the action and when) | Audit trail, accountability, customer support |
| Marketing broadcasts | Content of marketing emails you compose in the Service to send to your own end customers (subject, HTML body, uploaded images), the list of selected recipients, send results, and unsubscribe records | Operating the bulk-email feature you choose to use, recording who opted out so future broadcasts respect their choice |
| Manufacturer communications | Email addresses of your suppliers and the content of order emails (item list, attached files) sent to them through the Service | Sending production orders to your chosen suppliers |
| End-customer access to quotes | When you share a quote view link with an end customer, that link allows access (no login) to the specific quote and the personal data within it. Access events may be logged for security. | Allowing your customers to view their quote |
| Payment | Billing address, payment method (via Stripe) | Subscription billing |
| Usage | Login timestamps, IP addresses | Security, support |
| Usage analytics | Pages viewed, key actions performed (e.g. quote created, lead status changed), timestamps | Understanding feature usage to improve the Service |
3. Lawful Basis for Processing
- Contract performance (Art 6(1)(b)): Processing necessary to provide the Service.
- Legitimate interests (Art 6(1)(f)): Service improvement, fraud prevention, security.
- Legal obligation (Art 6(1)(c)): Tax, accounting, regulatory requirements.
- Consent (Art 6(1)(a)): Marketing communications (with opt-in).
4. How We Use Your Data
We use your data to: provide and improve the Service; process payments; send transactional emails (reminders, quotes, orders); provide support; detect fraud; comply with legal obligations. We do not sell your data to third parties.
We collect usage analytics linked to your account (pages visited, features used, frequency of key actions, timestamps) to understand how Vectro is used and to inform product decisions. This data is processed under our legitimate interest in improving the Service. We do not use it for advertising or share it with third parties for their own purposes.
Automatic appointment reminders. If enabled, the Service automatically sends reminder emails to your end customers on your behalf before scheduled appointments (typically the day before). You control whether automatic reminders are enabled, the send time, and whether individual customers receive them. We act as your processor when sending these messages; you act as the controller and remain responsible for the lawfulness of contacting those customers.
Marketing broadcasts you send through the Service. The Service includes a tool that lets you compose and send bulk marketing emails to selected end customers. We act as your processor for these sends. You are the controller and are responsible for: (a) ensuring you have a valid lawful basis under UK GDPR and a valid consent (or other PECR basis) for each recipient, (b) honouring opt-outs, (c) the content of the messages you send. An unsubscribe link is included automatically in every marketing message, and recorded unsubscribes are respected on subsequent sends.
Staff access to analytics: Specifically authorised Vectro personnel (currently the founder and any future support staff) can view aggregated activity statistics for each customer account, including which pages are most viewed, which actions are most performed, the number of active users, and timestamps of recent activity. Identifiers (account name, user names) may be visible alongside this data. This access is used solely to: (a) provide customer support, (b) monitor account health and identify customers who may need assistance, (c) inform product improvement decisions. We do not browse the contents of your Customer Data (your customers' details, quotes, files) for these purposes; analytics covers only metadata about feature usage, not the substantive content you store in the Service.
5. Third-Party Processors
| Provider | Purpose | Location |
|---|---|---|
| Railway | Application hosting & database (PostgreSQL) | EU West |
| Cloudflare R2 | Encrypted database backups (30-day retention) and storage of files attached to manufacturer production orders. Files attached to leads (internal use) and to client quotes are stored in our application database alongside the related record, not in R2. | EU West |
| Stripe | Payment processing | US (adequate) |
| Resend | Email delivery (quotes, reminders, orders) | US (adequate) |
| Calendar sync (optional, user-initiated) | US (adequate) |
All processors are bound by data processing agreements with appropriate security measures.
6. Google User Data
If you choose to connect your Google Account to enable Google Calendar synchronization, Vectro accesses, uses, and stores limited Google user data. This section describes how this data is handled, in accordance with the Google API Services User Data Policy, including the Limited Use requirements.
What Google data we access
- Your basic Google profile information (email address, name) — to identify your account during sign-in.
- Your Google Calendar events that Vectro creates (measurements, installations, team absences, internal events such as recurring team meetings, training or office days, where the Authorised User is an attendee) — Vectro only reads, creates, updates, and deletes events that it has itself created. We do not read other events from your calendar.
- OAuth refresh and access tokens — stored encrypted in our database to maintain the connection.
How we use Google data
- To create, update, and delete calendar events on your primary Google Calendar that correspond to appointments and team absences in Vectro.
- To sync changes you make in Vectro to Google Calendar in near real time.
- To verify your identity at sign-in (basic profile only).
How we share Google data
We do not share, transfer, or disclose Google user data with any third parties, except:
- Sub-processors strictly necessary to operate the service: Railway (application hosting, EU West) stores the data; Cloudflare R2 (EU West) holds encrypted backups. These providers are contractually bound to confidentiality and only act on our instructions.
- To comply with applicable law or a valid legal request (e.g. court order).
- If you explicitly request we share data (e.g. support investigation).
We do not sell Google user data, share it for advertising, transfer it to data brokers, or use it to train artificial intelligence or machine learning models.
How we store and protect Google data
- OAuth tokens are stored encrypted in our PostgreSQL database hosted on Railway (EU West).
- Encrypted database backups are held on Cloudflare R2 (EU West) for 30 days on a rolling basis.
- Access is restricted to authorized Vectro personnel and the systems necessary to provide the service.
How to revoke access
You can disconnect Vectro from your Google Account at any time:
- Inside the Vectro app: Settings → Google Calendar → Disconnect.
- Or directly in your Google Account: myaccount.google.com/permissions.
When you disconnect, we delete your stored OAuth tokens. Calendar events that Vectro previously created remain on your Google Calendar; you can delete them manually.
Limited Use compliance
Vectro's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
7. Data Retention
- Active account data: Duration of Subscription + 30 days.
- Customer data: Deleted within 30 days of account termination.
- Authorised User records (your staff) and their absence records: Retained for the duration of the Subscription; deleted within 30 days of account termination, except where retention is required by law.
- File attachments (lead files, quote files, manufacturer order files): Deleted with their associated lead, quote, or order, or within 30 days of account termination.
- Per-lead activity log: Retained with the lead; deleted with the lead or on account termination.
- Marketing broadcasts (composed content and send records): Retained for 90 days for audit and troubleshooting, then deleted. Unsubscribe records are retained for longer where needed to honour opt-outs.
- Database backups: Automatically deleted after 30 days (rolling retention).
- Payment records: 6 years (HMRC requirement).
- Usage logs: 12 months.
- Usage analytics events: 90 days (automatically deleted after this period).
Inactive trial accounts. If you register for the Service and your free trial ends without you beginning a paid Subscription, your account may be treated as abandoned. We will send a warning email to the registered address giving you a reasonable opportunity (at least 14 days) to start a Subscription and keep the account. If you do not start a Subscription within that period, we may permanently delete the account and all associated data, except where retention is required by law (e.g. financial records) or for the establishment, exercise or defence of legal claims. This does not apply to existing paying customers, cancelled subscriptions (which are covered by the post-termination retention window above), or accounts we have designated as free or evaluation accounts.
8. Your Rights (UK GDPR)
You have the right to: access your data (including a copy of usage analytics events recorded for your account); request rectification; request erasure; restrict processing; data portability; object to processing; withdraw consent at any time.
Contact us at support@vectro.uk. We will respond within 30 days.
If unsatisfied, you may complain to the Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113.
9. Data Security
We implement: encryption in transit (TLS/HTTPS) and at rest; bcrypt password hashing; JWT authentication with token expiry; role-based access controls; daily encrypted database backups with 30-day retention; EU-based hosting and backup storage; regular security reviews.
10. Local Device Storage (Offline Mode)
To support use in the field where mobile coverage may be unreliable (for example, by installers visiting customer premises), the Service caches a copy of recently used data on your device using your browser's local storage (IndexedDB), the browser cache managed by a Service Worker, and small items in localStorage. This local cache may include:
- Details of active leads and their associated customers (name, address, phone, email).
- Quotes and quote items for active leads.
- Reference data such as your products, suppliers, and team list.
- Authentication tokens to keep you signed in.
- Application files (HTML, CSS, JavaScript) cached by the Service Worker for fast load and offline operation.
This data remains on the device until you sign out, clear your browser data, or uninstall the application. It is not transmitted to any third party and is not used by us beyond enabling offline functionality.
Your responsibility: Because this cache contains personal data of your customers, you should sign out from any shared or untrusted device after use. If a device is lost or stolen, you can sign out remotely by changing your password, which invalidates existing tokens; you should also clear that device's browser data when recovered.
11. International Transfers
Some of our sub-processors are located outside the UK. Where personal data is transferred to a third country, we rely on one of the following safeguards under UK GDPR:
- Adequacy decisions: Where the UK Government has determined that the destination country provides adequate protection.
- UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses: For transfers to countries without an adequacy decision (e.g. transfers to providers headquartered in the United States such as Stripe, Resend, or Google).
- Supplementary measures where required, including encryption in transit and at rest.
You can request a copy of the relevant safeguards by contacting support@vectro.uk.
12. Automated Decision-Making and Profiling
We do not use your personal data to make decisions that produce legal effects or similarly significant effects on you through fully automated means. Pricing calculations within the Service are deterministic functions of the inputs you provide and are not "automated decision-making" within the meaning of UK GDPR Article 22. We do not engage in profiling of you or your end customers for marketing or behavioural targeting.
13. Personal Data Breach Notification
In the event of a personal data breach affecting your account or your customers' data, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to the rights and freedoms of natural persons, in accordance with UK GDPR Article 33.
- Notify you without undue delay so that you, as data controller for your end customers' data, can fulfil your own notification obligations under UK GDPR Article 33 and, where required, Article 34.
- Provide reasonable assistance and information to enable you to comply with your obligations.
You are responsible for notifying your end customers where required under UK GDPR Article 34. Our role is to support you with the technical facts of the incident.
14. Marketing Communications
This section concerns marketing communications from Vectro to you. Marketing emails that you send through the Service to your own end customers using the built-in bulk-email tool are addressed in section 4 above; you are the controller for those communications.
We may send you transactional emails relating to your account, the Service, and security (such as quotes you generate, password resets, billing notices, and important Service announcements). You cannot opt out of these as they are necessary for the Service.
We will only send you marketing or promotional communications about Vectro features, tips, or offers if you have opted in. You can withdraw consent at any time by clicking "unsubscribe" in any marketing email or by contacting support@vectro.uk. Withdrawing consent does not affect the lawfulness of processing prior to withdrawal.
15. Cookies
The Service uses essential cookies and equivalent local storage only — specifically, authentication tokens to keep you signed in and the offline cache described in section 10. We do not set tracking, analytics, or advertising cookies, and we do not load third-party scripts that set such cookies on our application domain. See our Cookie Policy for full details.
16. Children's Privacy
The Service is intended for use by businesses and their authorised representatives. It is not directed at, and we do not knowingly collect personal data from, individuals under 18. If you believe a child has provided us with personal data, please contact us at support@vectro.uk and we will delete it.
17. Data Protection Contact
We are not legally required to appoint a Data Protection Officer (DPO) at this time. For all data protection enquiries, including data subject rights requests, please contact:
Data Protection Contact: Tomasz (Founder)
Email: support@vectro.uk
Postal: HQ Parts UK Ltd, 37 Wheatcrofts, Barnsley, South Yorkshire, S70 6BZ
We will respond to verifiable requests within one calendar month, as required by UK GDPR Article 12(3). We may extend this by up to two further months for complex or numerous requests, in which case we will notify you within the first month.
18. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or legal requirements. For material changes, we will provide thirty (30) days' notice via email to your registered address or via the Service. The "Last updated" date at the top of this document indicates when it was last revised. We recommend reviewing this policy periodically.
19. Contact
Email: support@vectro.uk
Company: HQ Parts UK Ltd
Address: 37 Wheatcrofts, Barnsley, South Yorkshire, S70 6BZ
ICO: ico.org.uk · 0303 123 1113