Privacy Policy

Information we collect

When you message our WhatsApp bot or use our website, we may collect:

• Your WhatsApp phone number and display ("push") name.
• The content of your messages: typed text, voice notes, photos, drawings, and project documents you send.
• Information derived from that content: voice transcripts, photo summaries, and text extracted from drawings or documents, used to build your estimate.
• Project and estimate details: dimensions, quantities, materials, client/company names, and the estimates, quotes, invoices, and documents we generate for you.
• Website form details you provide voluntarily, such as your name, email address, and company name.
• Subscription and payment status (we do not see or store full card details — see Payments).
• Operational diagnostics needed to keep the service working (redacted — see Diagnostics and security).

How we use your information

We use your data to:

• Generate, recall, and revise your estimates and documents.
• Send you those documents over WhatsApp and, where appropriate, by email.
• Operate your subscription, bill usage, and prevent abuse.
• Provide support and respond to your requests.

Our lawful bases are performance of a contract (providing the estimating service), our legitimate interests (running, securing, and improving the service), consent where required (for example, optional marketing messages), and legal obligation (keeping tax and financial records).

How your data flows through our systems

A WhatsApp message is received through our messaging provider, normalised by our workflow automation (n8n), and processed by our backend (Firebase Cloud Functions and our internal tool layer) to produce an estimate or document. We keep operational session memory compact: it stores durable state such as your current estimate reference and work type, not large files or long message histories. Generated PDFs, CSVs, and Word documents are produced on demand and sent to you; we store only their metadata, not the file contents.

What we store

In our database (Google Firestore, accessible only to our backend) we keep:

• A pseudonymised customer record: a one-way hash of your phone number plus its last four digits — never the full number — with sign-up source and activity dates.
• Your estimates and their revisions: structured inputs, results, assumptions, and document metadata (not the generated files themselves).
• Records of emails we sent you: recipient, subject, document reference, and delivery status.
• Usage and billing events, and subscription/payment status.
• Where you are a marketing contact: campaign recipient details and consent/opt-out status.
• Administrative configuration and supplier price data used to produce estimates.
• Redacted diagnostic records (debug sessions and error logs) for a short period.

Raw media and data minimisation

We minimise sensitive data by design. Your phone number is stored only as a keyed hash plus the last four digits. Raw voice recordings, full transcripts, extracted document/OCR text, photo content, and generated file binaries are stripped before we write to our database — we keep summaries and metadata, not the raw media. We do not retain raw media or full transcripts in normal session or diagnostic state. Where a fault needs investigating, a diagnostic mode may temporarily capture more detail; such records are access-controlled, redacted of secrets and full phone numbers, and age out automatically.

Email communications

When you ask us to email a document, or when WhatsApp delivery is not possible, we send it through our email provider (SendGrid) from our backend. We log the send and its delivery status (delivered, bounced, and similar). Any confirmation we send back over WhatsApp shows your email address only in masked form (for example, j...@example.com).

Payments

Subscriptions are handled by Stripe. Card payments are processed directly by Stripe under their own privacy policy; we do not receive or store your full card details. We store your subscription and payment status so we can provide the paid features.

Marketing and CRM contacts

If you are part of an outreach campaign, we hold your contact details and consent/opt-out status, which may be synchronised with our CRM and sent through WhatsApp or SMS providers. We honour opt-out requests and you can ask us to stop contacting you at any time.

Third parties who process data for us

We share data only with service providers who process it on our behalf under contract:

• WhatsApp and SMS messaging providers (including Twilio and our WhatsApp delivery partners).
• Our workflow automation platform (n8n).
• Google Firebase / Google Cloud (hosting, functions, database).
• Our AI/large-language-model provider, used to interpret your request and draft text.
• Stripe (payments), SendGrid (email), and our CRM provider (marketing contacts).
• Supplier price data sources used to ground material costs.

We do not sell, rent, or trade your personal information. Your project data and estimates are never shared with other builders.

Diagnostics and security

We keep redacted operational logs and debug timelines to investigate faults and prevent abuse. These exclude API keys, access tokens, full phone numbers, raw media, full transcripts, and generated files. Our database is accessible only to our backend services; clients have no direct access. We apply appropriate technical and organisational measures to protect your data.

How long we keep your data

We keep data for the shortest period that is useful, then delete it:

• Abandoned drafts: about 90 days.
• Sample estimates: about 30 days.
• Active estimates/quotes: up to 24 months after last activity.
• Accepted estimates and invoices: up to 6 years (UK tax and limitation periods).
• Declined or superseded estimates: about 12 months.
• Usage/billing records: up to 6 years (financial records).
• Redacted diagnostic records: about 30 days.
• Customer records: while a live estimate exists, otherwise up to 24 months after last activity.

AI training

Your drawings, project data, and estimates are not used to train public AI models. We use AI providers only to process your request and produce your estimate. Your data remains yours.

Your rights

Under UK GDPR you have the right to access, correct, delete, restrict, or port your personal data, and to object to certain processing. To make a request, message our WhatsApp bot (for example, "delete my data") or email privacy@5minutestimate.co.uk. Because customers are identified by a hash of their phone number, we verify your identity by control of that WhatsApp number before exporting or deleting data. We respond within 30 days. Some records — accepted estimates and invoices — may be retained for up to 6 years to meet legal obligations even after a deletion request; we will tell you what we keep and why. You may also complain to the UK Information Commissioner's Office (ICO).

Cookies and tracking

Our website may use cookies to enhance your experience. You can disable cookies through your browser settings. Our WhatsApp service does not rely on website cookies.

International transfers

Some of our providers process data outside the United Kingdom. Where data is transferred internationally, we rely on appropriate safeguards such as UK adequacy regulations or standard contractual clauses.

Changes to this policy

We may update this policy from time to time. We will post the new version on this page with an updated date and, for material changes, take reasonable steps to notify you.