Legal

Privacy policy

Last updated: 30 April 2026

This policy explains what personal data Foreman collects, how we use it, who we share it with, and what your rights are. It is written for tradespeople who use Foreman, and for the customers those tradespeople serve.

Who we are

Foreman is operated by Luke Pledger, a sole trader trading as “Foreman” from the United Kingdom. We are the data controller for the personal data described below.

We are registered with the UK Information Commissioner’s Office (ICO) as a data controller. Our registration reference will be added to this page once issued by the ICO.

Service address: [REPLACE WITH SERVICE ADDRESS BEFORE LAUNCH], United Kingdom.

Contact / data protection enquiries: hello@foremanai.trade. As a sole trader we are not required to appoint a Data Protection Officer; data-protection enquiries are handled by Luke Pledger and answered from this address.

The two kinds of people in our data

Foreman handles two distinct groups, with different relationships to us:

  • Tradespeople — our customers. They sign up to Foreman, pay a subscription, and use the product. We are the data controller for their data.
  • End customers — the homeowners and businesses that the tradesperson serves. The tradesperson is the data controller for these records; Foreman is a data processor acting on their instructions to handle messages on their behalf.

If you are an end customer and want to exercise rights over your data, your first point of contact is the tradesperson you booked with — they are the data controller and will be best placed to locate and act on your records. You may also contact us directly at hello@foremanai.trade and we will assist or pass the request to the tradesperson as appropriate.

Where Foreman processes personal data on a tradesperson’s behalf, we do so under a data processing agreement that forms part of our Terms of Service. The full terms are published at foremanai.trade/dpa.

What data we collect

From tradespeople (when you sign up and use Foreman):

  • Name, business name, email address, phone number
  • Trading address (if provided during onboarding)
  • Login credentials (we store a hash of your password and a session token; we never see your plaintext password)
  • Connected-account credentials, encrypted at rest: WhatsApp Business access token, Google Calendar OAuth tokens, Stripe customer ID
  • Service data: your jobs, customers, appointments, quotes, invoices, expenses, reviews, working hours, rate cards
  • Conversation data: messages exchanged with your customers via WhatsApp through Foreman
  • Technical data: IP address, browser type, device identifiers, push-notification tokens (mobile app), basic usage events
  • Billing data: Stripe customer ID and subscription status (your card details are held by Stripe, never by Foreman)

From end customers (on behalf of the tradesperson):

  • Name (when shared with the tradesperson)
  • Phone number (used as the primary identifier)
  • Email address (when shared, used to send booking, quote, invoice, reminder and review emails)
  • Service address (when relevant to a job)
  • The content of WhatsApp messages exchanged with the tradesperson
  • Recordings of inbound calls answered by Foreman on the tradesperson’s behalf
  • Transcripts of those calls (the speech-to-text output Foreman uses to understand and reply to the caller)
  • Call duration
  • Call metadata — start and end time, caller phone number, whether the call was transferred to the tradesperson
  • Job details and history with the tradesperson

Recorded calls — transparency. Inbound calls to a tradesperson’s Foreman number are answered by Foreman and are recorded. Recording is core to how the service works. Callers are informed by a spoken notice at the start of every call that the call is handled by Foreman on the tradesperson’s behalf and is being recorded; callers who do not consent can hang up at that point and contact the tradesperson directly through their personal number.

How we use it

We use this data to:

  • Provide the Foreman service to you
  • Send and receive WhatsApp messages on a tradesperson’s behalf (scheduling, rescheduling, reminders, follow-ups)
  • Answer inbound WhatsApp Business calls and (where the tradesperson has enabled phone-call coverage) inbound phone calls on the tradesperson’s behalf — including recording the call and converting speech to text so Foreman can respond, hold context, and surface the conversation to the tradesperson
  • Send transactional emails on a tradesperson’s behalf to end customers — booking confirmations, quotes, invoices, appointment reminders, and review requests
  • Process payments and manage subscriptions through Stripe
  • Improve and debug the product (technical logs, error reports, limited product analytics)
  • Send service emails (account confirmations, billing receipts, security notices)
  • Comply with legal obligations (tax records, fraud prevention)

What we never do with your data:

  • We do not sell personal data.
  • We do not use customer message content to train AI models.
  • We do not use Foreman data for advertising or marketing to third parties.

Lawful basis (UK GDPR Art. 6)

  • Contract — to deliver Foreman to you under our Terms of Service: creating and operating your account, authenticating you, sending and receiving messages on your behalf, scheduling jobs, processing payments through Stripe, and providing the dashboard and mobile app.
  • Legitimate interest — to keep the service secure, debug technical issues, improve the product, and record inbound calls answered by Foreman on a tradesperson’s behalf so that the agent can hold context across a conversation, the dashboard can surface what was said, and the tradesperson can audit the interaction. Our legitimate-interest assessment for call recording weighs this against the caller’s privacy and is supported by the transparency notice played at the start of every call (a caller who does not consent can hang up and reach the tradesperson directly). You can object to legitimate-interest processing at any time.
  • Legal obligation — to keep tax records (six years) and respond to lawful requests from regulators or authorities.
  • Consent — for any optional marketing emails (none currently sent), withdrawn at any time.

Who we share data with (sub-processors)

Foreman uses the following third parties to operate the service. Each is bound by a data processing agreement.

  • Anthropic (US, EU) — runs the AI agent that composes WhatsApp replies. Message content is sent to Anthropic’s API for inference. Anthropic does not use this data to train its models.
  • Meta Platforms (US, EU) — delivers WhatsApp messages and routes WhatsApp Business Calling between the tradesperson and end customer via the WhatsApp Business Cloud API.
  • Vapi (US) — voice telephony, speech-to-text, text-to-speech, and call recording that powers Foreman’s voice answering. Audio recordings are retained for up to 30 days for quality and dispute resolution. Bound by a data processing agreement; audio and transcripts are not used to train Vapi’s or its upstream providers’ models.
  • OpenAI (US) — automatic speech-to-text (Whisper) for voice transcripts when used by Vapi. Bound by a data processing agreement; audio and transcripts are not used to train OpenAI’s models.
  • Stripe (US, UK, EU) — processes subscription payments. Holds card data; we do not.
  • Resend (US, EU) — sends transactional emails on the tradesperson’s behalf (booking confirmations, quotes, invoices, appointment reminders, review requests) and our own service emails (magic-link login, billing receipts). Bound by a data processing agreement.
  • Google (US, EU) — calendar sync, where the tradesperson connects Google Calendar.
  • Railway (US, EU) — hosts the application and database.
  • Sentry (EU — Frankfurt) — error and crash reporting. Sensitive fields are redacted before transmission.
  • PostHog (EU — Frankfurt) — privacy-respecting product analytics. Event names and tradesperson IDs only; no message content.
  • Langfuse (EU — Frankfurt) — observability for the AI agent (prompts, completions, costs).
  • Apple Push Notification service / Expo (US) — delivers push notifications to the iOS app.

International transfers

Some sub-processors are based in the United States. Where data is transferred outside the UK or EEA, the transfer is covered by either the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or an adequacy decision (such as the UK-US Data Bridge for certified US providers).

We assess each restricted transfer and apply appropriate additional safeguards, including transfer-risk assessments where required. We review these assessments when a sub-processor is added or changed, or when guidance from the ICO or European Data Protection Board materially shifts.

How long we keep it

  • Active accounts — for as long as the subscription is active.
  • After account deletion — your data is immediately deactivated and made inaccessible at deletion. All tenant data (jobs, customers, messages, etc.) is then permanently deleted within 30 days, after which database backups will have rotated. A hashed audit record of the deletion is retained for legal and accountability purposes (one-way hashes only — no identifying details).
  • Voice recordings and transcripts — retained for 30 days from the call, then automatically deleted. Deleted earlier if the tradesperson’s account is deleted first.
  • Transactional email records — retained for 90 days for delivery diagnostics (bounce, complaint, spam reports), then automatically deleted. Deleted earlier if the tradesperson’s account is deleted first.
  • Billing records — Stripe retains transaction records for at least six years to meet UK tax requirements.
  • Technical logs — retained for up to 90 days, then automatically purged.

Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Erase your data (“right to be forgotten”)
  • Restrict or object to processing
  • Receive your data in a portable format
  • Withdraw any consent you have given
  • Lodge a complaint with the ICO at ico.org.uk/make-a-complaint, or by post at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Tradespeople can delete their own account at any time from inside the dashboard (Settings → Delete account). See the account deletion instructions for details.

To exercise any other right, email hello@foremanai.trade. We respond within 30 days.

Security

Data is encrypted in transit (HTTPS) and sensitive credentials (WhatsApp tokens, OAuth tokens) are encrypted at rest. Passwords are hashed with bcrypt. The database enforces tenant isolation both at the application layer and at the row level. Webhook signatures are verified before any state change. Authentication endpoints are rate-limited.

Cookies

See our cookies policy for details on what we set and why.

Automated decision-making

Foreman uses AI to draft messages, route conversations, and answer calls on a tradesperson’s behalf. We do not carry out solely automated decision-making that produces legal or similarly significant effects on you within the meaning of UK GDPR Article 22. Consequential actions (confirming bookings, sending messages outside the open conversation window, cancellations, escalations) are gated on tradesperson approval or on caller-initiated input.

Children

Foreman is intended for adults (18+) operating a trade business. We do not knowingly collect data from children.

Changes to this policy

We will update this page and revise the “Last updated” date. Material changes will also be notified to active tradesperson accounts by email at least 30 days before they take effect.

Contact

Questions, requests, or concerns: hello@foremanai.trade.