Trust, Security & Privacy

• Email/password sign-in with verification, plus Google OAuth.
• Roles (admin, manager, worker, client) are stored separately from user profiles and enforced server-side.
• New sign-ups are placed in a pending state until an admin approves them.
• Anonymous sign-ups are disabled.
• Admin "View-As" impersonation is logged, time-limited, and never grants extra database privileges.

• Row-Level Security is enabled on every table that holds customer data.
• Clients can only read their own properties, jobs, invoices and reports.
• Workers can only read jobs assigned to them and their own attendance records.
• Sensitive credential columns (third-party API tokens, OAuth tokens) are not readable by the browser — only trusted server code can access them.
• Audit log writes only happen through a controlled server-side function.

• Third-party credentials (email, calendar, Todoist, QuickBooks, captcha) are stored as backend secrets, never in client code.
• QuickBooks Online is currently in read-only mode per business entity; no invoices are written without separate approval.
• Gmail and Google Calendar integrations run through a managed connector — we do not store your inbox or calendar contents.
• Public submission forms (contact, quote, inquiry) include captcha + honeypot + timing checks to block automated abuse.

• Contact details you provide via our forms (name, email, phone, message, property address).
• Operational records related to services you book (jobs, schedules, attendance, invoices).
• Account data when you sign in (email, profile, role).
• We do not sell personal data.

• Application hosting and backend infrastructure are provided by our managed cloud platform.
• Authentication, database and file storage are provided by Supabase.
• Bot protection on public forms is provided by Cloudflare Turnstile (when enabled).
• Optional integrations you enable yourself (Google, Todoist, QuickBooks) process the data described in their own privacy notices.

• Operational records are retained while your account is active and for a reasonable period afterwards for legal, tax and audit purposes.
• You can request access, correction or deletion of your personal data by contacting us at the address below.
• For UK GDPR requests we will respond within statutory timeframes.

To report a security concern, request data access/deletion, or ask about this page, email londonchecksltd@gmail.com. Please do not include passwords, API keys, or other credentials in your message.