Privacy Policy
Last updated: 10 March 2026
1. Who we are
GoFix is operated by RAVE AI ("we", "us", "our"). We are the data controller for personal data processed through the GoFix application at app.gofixapp.uk.
Contact: [email protected]
2. What data we collect and why
The table below lists every category of personal data we hold, why we hold it, and the lawful basis under UK GDPR.
| Data | Purpose | Lawful basis |
|---|---|---|
| Full name | Display in app, on PDF quotes and invoices | Contract |
| Company name | Display on PDF quotes and invoices | Contract |
| Email address | Account login, service communications | Contract |
| Password (hashed) | Account authentication — never stored in plain text | Contract |
| Trade type & hourly rate | Pre-fill quote builder, calculate costs | Contract |
| VAT status | Apply correct VAT to quotes | Contract |
| Business address, phone, website | Display on Pro PDF documents (optional) | Contract |
| Company number & VAT number | Display on Pro PDF documents (optional) | Contract |
| Logo image URL | Display on Pro PDF documents (optional) | Contract |
| Bank details (name, sort code, account number) | Display on invoice PDFs (optional, Pro only) | Contract |
| Quote and job data | Core app functionality | Contract |
| Client contact details | Stored per quote for document generation | Contract |
| Stripe customer & subscription IDs | Manage Pro subscription billing | Contract |
| Session cookie (httpOnly, Secure) | Keep you logged in securely | Legitimate interests |
| Analytics (Umami — anonymised) | Understand how the app is used; no personal data sent | Consent |
3. Cookies
We use two types of cookies:
- Essential session cookie — a single httpOnly, Secure cookie that keeps you logged in. Strictly necessary; no consent required.
- Analytics cookie (Umami) — privacy-friendly analytics. Umami does not collect personal data and does not use cross-site tracking. Only set if you click "Accept all" on the cookie banner.
You can change your cookie preferences at any time by clearing your browser cookies and reloading the app.
4. Third-party processors
- Stripe — payment processing. PCI DSS Level 1 certified. We never see or store card details. Stripe Privacy Policy.
- Amazon Web Services (AWS S3) — cloud storage for uploaded logos. Data stored in EU (Ireland).
- Umami Analytics — privacy-first analytics (consent only). No personal data transmitted.
5. Data retention
| Data type | Retention period |
|---|---|
| Account and profile data | Until you delete your account |
| Quotes, jobs, and client records | Until you delete your account |
| Stripe subscription IDs | Until you delete your account |
| Session cookies | 30 days (refreshed on each login) |
| Uploaded logo images (S3) | Until you delete your account or replace the image |
| Anonymised analytics data | Rolling 24 months |
6. Your rights under UK GDPR
Most rights can be exercised directly within the app:
Right of access
Download a full copy of all your personal data from Settings → Your Data → Download my data.
Right to rectification
Update your profile information at any time from Settings.
Right to erasure
Delete your account and all associated data from Settings → Your Data → Delete my account. Deletion is permanent and immediate.
Right to data portability
Download your data as a structured JSON file from Settings → Your Data → Download my data.
Right to restriction
Contact us at [email protected] to request restriction of processing.
Right to object
Withdraw consent for analytics cookies at any time by clearing cookies and selecting 'Essential only' on the cookie banner.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
7. Data security
- Passwords hashed with bcrypt (12 rounds) — never stored in plain text
- Session cookies set with httpOnly and Secure flags
- All data transmitted over HTTPS/TLS
- Payment card data handled exclusively by Stripe
- File storage on AWS S3 with non-enumerable keys
8. International transfers
Your data is stored within the EEA. Where sub-processors operate outside the EEA, appropriate safeguards are in place under UK GDPR Article 46, including Standard Contractual Clauses.
9. Changes to this policy
We will notify you of material changes by email or by displaying a notice in the app. The "last updated" date at the top reflects the most recent revision.