SVApp
Start free
LEGAL

Privacy Policy

How SVApp collects, uses and protects your information.

Effective date: 27 May 2026

Last updated: 27 May 2026

This Privacy Policy explains how SVApp.net ("SVApp", "the site", "we", "us", "our") collects, uses, and protects personal data when you visit svapp.net, request a quote, sign up for the service, or use the SVApp administration panel.

This policy is written to satisfy the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. SVApp is operated by WebFTL Ltd ("the operator"). If you have questions or wish to exercise your data rights, contact us at contact@svapp.net.

1. Who this policy covers

We distinguish between three groups:

  • Visitors to svapp.net - people browsing our marketing site, requesting a quote, or contacting us.
  • SVApp customers - trade businesses that subscribe to SVApp and operate their own website through our platform.
  • Visitors to a customer's website - end users of the websites we host on behalf of our customers (for example, a customer of an electrician we built a site for). For those visitors, the SVApp customer is the data controller and their own privacy policy applies. We act as a data processor on their behalf.

This policy primarily addresses the first two groups. If you visit a site we host but did not build for yourself, please refer to that site's privacy policy.

2. What data we collect

When you browse svapp.net

  • Technical data automatically transmitted by your browser: IP address (truncated/anonymised before storage), device type, operating system, browser type, referring URL, pages visited, timestamps. Used only for aggregate analytics and security.
  • Cookies and similar technologies as described in section 6.

When you request a quote or contact us

  • Identification data: name, business name, email address, phone number (if provided).
  • Quote details: trade or industry, services offered, target locations, brand preferences, and other information you supply through the quote builder or contact form.
  • Communication records: the content of your messages to us, including subsequent email correspondence.

When you become an SVApp customer

In addition to the above:

  • Account data: login credentials (passwords are hashed, never stored in plain text), user role, tenant assignment.
  • Billing data: subscription status, plan, payment dates. Payment card details are not stored by SVApp - they are handled by our payment processor under their own privacy notice.
  • Operational data: content you upload through the admin panel (pages, services, projects, media, navigation, site settings, cookie configuration), and metadata about your edits (timestamps, the user who made the change).
  • Custom domain configuration: if you connect your own domain, we store its DNS configuration and verification state.

When visitors interact with your website (where you are the SVApp customer)

We process - on your behalf and under your instructions - data that visitors submit through the contact, quote, and lead-capture forms you choose to enable. This typically includes name, contact details, and free-text message content. We forward submissions to you and retain them on your tenant for as long as you keep them in the admin panel.

We do not enrich, sell, or use this data for any purpose other than delivering the form submissions to you and providing the service you have subscribed to.

3. How we use your data, and the legal basis

  • Replying to enquiries and contact submissions. Categories used: identification, communication. Legal basis (UK GDPR Article 6): legitimate interests (handling enquiries).
  • Quoting and onboarding. Categories used: identification, quote details. Legal basis: pre-contractual steps at your request (Article 6(1)(b)).
  • Providing the SVApp subscription service. Categories used: account, operational, billing. Legal basis: performance of contract (Article 6(1)(b)).
  • Processing payments and preventing fraud. Categories used: billing. Legal basis: legal obligation and legitimate interests.
  • Sending service emails (account, security, billing). Categories used: identification, account. Legal basis: performance of contract.
  • Site analytics and product improvement. Categories used: technical, cookie-derived. Legal basis: consent (where required) and legitimate interests for aggregated metrics.
  • Securing the platform. Categories used: technical, account. Legal basis: legitimate interests (security, fraud prevention).
  • Complying with legal obligations. Categories used: all categories where applicable. Legal basis: legal obligation.

Where we rely on consent (analytics cookies, optional marketing communications), you can withdraw consent at any time without affecting prior lawful processing.

4. Who we share your data with

We do not sell personal data and we do not share it for unrelated marketing purposes. The following categories of recipient may process data on our behalf as data processors under written agreements that satisfy UK GDPR Article 28:

  • Vercel Inc. - application hosting, edge network, and (with your consent) Vercel Analytics. Vercel Analytics is cookieless and aggregates only anonymised page-view data; IP addresses are truncated before storage.
  • Neon, Inc. - serverless Postgres database hosting. Customer and end-visitor data submitted through the platform is stored in a Neon project located in the United Kingdom (London region).
  • Hetzner Online GmbH - object storage for images and media uploaded through the admin panel. Stored in the European Union.
  • Calendly LLC - if a customer chooses to enable a booking link on their site, visitors clicking that link interact with Calendly's service directly. Calendly is the data controller for that interaction; we do not see the visitor's data unless they complete the booking and you choose to import the record.

We may also disclose personal data:

  • To professional advisers (lawyers, accountants, auditors) bound by confidentiality, where necessary for legal compliance.
  • To regulators, courts, and law enforcement where required by law or to protect our or others' rights.
  • To a successor entity in connection with a corporate transaction (merger, acquisition, reorganisation); you will be notified before any such transfer.

5. International transfers

The processors listed above operate infrastructure inside the United Kingdom and the European Economic Area for the storage of personal data. Where any processor must transfer data outside the UK/EEA (for example, for support operations from a US office), the transfer is governed by the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an adequacy decision, as appropriate.

You can request a copy of the transfer mechanism in place for any specific processor by emailing contact@svapp.net.

6. Cookies and similar technologies

When you first visit svapp.net (or a site we host for a customer that uses our consent banner), you will be asked to choose which cookie categories you accept. Your choice is stored in a first-party cookie named consent_v1 for 12 months, after which we will ask you again.

Categories we use:

  • Strictly necessary - required for the site to function (session management, security, the consent banner itself). Always on.
  • Functional - remember your preferences (for example, your last submitted quote draft). Default off; you opt in.
  • Analytics - aggregated, anonymised page-view metrics via Vercel Analytics. No cross-site tracking, no advertising profiles. Default off; you opt in.
  • Marketing - only loaded if a customer site has configured a third-party marketing tag (such as Google Analytics or Meta Pixel) and the visitor has accepted this category. svapp.net itself does not run marketing cookies today.

You can change your choices at any time by clicking the cookie settings link in the site footer, or by clearing the consent_v1 cookie in your browser.

7. Retention

We retain personal data only as long as we need it for the purposes set out in this policy:

  • Enquiry and contact form submissions. 24 months from last interaction, then deleted.
  • Quote requests that did not become subscriptions. 12 months, then deleted.
  • Active customer account and content data. Throughout the subscription, plus 30 days after termination for restoration purposes, then deleted unless legal retention applies.
  • Billing records and invoices. 6 years (UK statutory requirement under the Companies Act 2006).
  • Aggregated, anonymised analytics. Indefinitely (no longer personal data).
  • Server access logs. 30 days.

You can request earlier deletion of data we hold about you by contacting us; we will comply unless a legal obligation requires us to keep it.

8. Your rights

Under the UK GDPR you have the right to:

  • Access - request a copy of the personal data we hold about you.
  • Rectification - correct inaccurate or incomplete data.
  • Erasure - ask us to delete your data ("right to be forgotten"), subject to legal exceptions.
  • Restriction - ask us to pause processing while a dispute is resolved.
  • Portability - receive your data in a structured, machine-readable format and transmit it to another controller.
  • Object - object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent - where we rely on your consent, you can withdraw it at any time.
  • Complain - lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk or 0303 123 1113. We would, however, appreciate the opportunity to address your concerns first.

To exercise any right, email contact@svapp.net. We will respond within one month. We may need to verify your identity before acting on a request.

9. Security

We protect personal data with industry-standard measures including:

  • TLS 1.2+ for all data in transit.
  • Encryption at rest on database, object storage, and backup providers.
  • Role-based access control: customers can only see and edit their own tenant's data. Administrative access is restricted to authenticated platform operators.
  • Hashed passwords (we never store plain-text credentials).
  • Server-side input validation and CAPTCHA on public forms.
  • Regular dependency updates and security reviews of platform code.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals where required.

10. Children

SVApp is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced on svapp.net and, where appropriate, by email to customers. The "Last updated" date at the top of this document reflects the most recent revision. Continued use of the service after a change indicates acceptance of the revised policy.

12. Contact

For any privacy-related question, request, or complaint, contact:

  • Email: contact@svapp.net

The supervisory authority for data protection in the United Kingdom is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom - https://ico.org.uk.