Who we are
CrewFlow is operated from Belfast, Northern Ireland. We provide software for UK construction companies to manage leads, quotes, jobs, staff, payroll, invoices, and payments. When this policy says “we” or “CrewFlow”, that's us. When it says “you”, it means anyone using the product — owners, admins, staff, and the customers our users send quotes or invoices to.
What we collect
- Account data — your email, name, phone (optional), and the organisation you belong to. Stored when you sign up or are invited to a CrewFlow workspace.
- Business data you enter — customers, leads, jobs, quotes, invoices, payments, time entries, payroll runs, and any notes or files you attach. This is your data; we hold it to provide the service.
- Customer-facing data — when an end customer opens a quote link or signs in to the customer portal, we record the fact that the link was opened (timestamp + a hashed IP for audit). We do not sell or share this with anyone.
- Operational telemetry — error reports and performance traces via Sentry, used to keep the product reliable. These contain technical diagnostics (stack traces, timings), not your business records, and we never use them for advertising. We do not currently run product-analytics tracking; if we introduce it, it will be optional and stays off until you opt in (see Cookies below).
What we don't do
- We don't sell your data. Ever.
- We don't use customer-facing data (the quote/invoice/portal links) to market anything to your end customers. They're your customers, not ours.
- We don't run third-party advertising trackers on the product (the CrewFlow app, the customer portal, or the public quote pages).
Where it's stored
Primary storage is Supabase (PostgreSQL), hosted in the European Union. Backups are encrypted at rest. File uploads (receipts, photos) live in Supabase Storage with the same regional scope. Operational telemetry (Sentry) is processed under its DPA.
Who can see your data
Row-Level Security on every table enforces that members of one organisation can't see another's rows. Customer-facing share links (the /q/<token> quote portal and the /customer-portal/<token> hub) use long random tokens — anyone with the token sees the data; the contractor can rotate the token to revoke access at any time.
Internally, only the on-call engineer can access production infrastructure, and access is logged. We don't look at your business data unless you ask us to (e.g. to debug an issue).
Cookies
We use a small number of essential cookies, and nothing else by default:
- A Supabase auth session cookie so you stay signed in. Strictly necessary; cannot be disabled while using the product.
- A cookie remembering your active workspace (and, for our staff, a short-lived support-access cookie). Strictly necessary to run the app.
We do not set analytics or advertising cookies by default. If we introduce optional product analytics, we'll ask for your consent first with a banner that lets you accept or reject. Reject keeps only the essential cookies above, and nothing analytics-related loads unless and until you accept. You can change your mind later by clearing the consent cookie.
The customer portal and public quote pages never set analytics or tracking cookies for end customers.
Your rights under UK GDPR
You can ask us to (a) confirm what data we hold about you, (b) provide a copy, (c) correct anything that's wrong, or (d) delete it (subject to lawful retention obligations, like tax records). Email hello@crewflow.uk and we aim to respond within 14 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
Retention
Active workspaces retain data for as long as the account exists. When you delete a workspace, we delete the business data within 30 days. Operational logs (Sentry, Supabase audit) roll off on a 90-day window. Where UK tax law requires us to retain certain records (e.g. invoice metadata for HMRC), we'll do so for the statutory period and no longer.
Changes
We'll update this page when the product or the law changes. Material changes are emailed to account owners ahead of taking effect.
Contact
Email hello@crewflow.uk for anything — data requests, complaints, or questions.