1. Who we are
Wedge ("we", "us", "our") provides WhatsApp-based invoicing for UK tradespeople. We are the data controller for the personal data described in this policy.
Contact: privacy@getwedge.co.uk
2. What data we collect
Account data
- Full name, email address, phone number (WhatsApp)
- Business name, VAT registration status and number
- No password — sign-in uses single-use email magic links. We only store short-lived hashed tokens to verify the link you received in your email.
Invoice and payment data
- Invoice details (amounts, descriptions, customer names)
- Payment status and Stripe transaction references
Usage data
- WhatsApp messages sent to Wedge for invoice creation
- Login timestamps and IP addresses (for security and audit purposes)
- Actions taken within your account (audit log)
3. Why we process your data (legal basis)
- Contract performance — to provide the Wedge invoicing service you signed up for (account management, invoice creation, payment processing, reminders).
- Legitimate interests — to maintain security, prevent fraud, and improve our service.
- Consent — for marketing emails and analytics, which you can withdraw at any time from your account settings.
- Legal obligation — to comply with tax, accounting, and regulatory requirements.
4. Third parties we share data with
- Stripe — payment processing. Stripe acts as an independent controller for payment data. See Stripe's Privacy Policy.
- Meta (WhatsApp Business API) — message delivery. See WhatsApp's Privacy Policy.
- Supabase — database hosting (EU region). Data is encrypted at rest and in transit.
We do not sell your personal data to any third party.
5. Data retention
We retain your account data for as long as your account is active. Invoice data may be retained for up to 7 years after creation to comply with HMRC record-keeping requirements.
When you delete your account, all personal data is permanently removed. Invoice records are anonymised (personal identifiers removed) to maintain accounting integrity.
6. Your rights under UK GDPR
You have the right to:
- Access — request a copy of your personal data (available via Settings > Privacy > Export Data)
- Rectification — correct inaccurate data (available via Settings > Profile)
- Erasure — delete your account and data (available via Settings > Privacy > Delete Account)
- Restrict processing — limit how we use your data (available via Settings > Privacy > Restrict Processing)
- Data portability — export your data in a machine-readable format (JSON or CSV, available via Settings)
- Withdraw consent — revoke consent for marketing or analytics at any time (available via Settings > Privacy > Consent Management)
- Object — object to processing based on legitimate interests
To exercise any of these rights, use your account settings or contact us at privacy@getwedge.co.uk.
7. Security
We protect your data with industry-standard measures including encrypted connections (TLS), passwordless sign-in (single-use, short-lived email magic links — we never store passwords), HttpOnly session cookies, and server-side-only access to sensitive credentials. Access to production systems is restricted and audited.
8. Cookies
We use a single session cookie (wedge_session) to keep you logged in. It is HttpOnly, Secure, and SameSite=Lax. We do not use third-party tracking cookies.
9. Complaints
If you are unhappy with how we handle your data, you can lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
10. Changes to this policy
We may update this policy from time to time. Significant changes will be communicated via email or an in-app notice. The "Last updated" date at the top reflects the most recent revision.
