Attorney-review draft — not legal advice; placeholders in [BRACKETS] must be completed before use.

GaugeTrace Privacy Policy

Applies to: the GaugeTrace marketing website ([gaugetrace.com] / [domain]), the GaugeTrace web dashboard, and the GaugeTrace / PoolGauge IQ mobile applications (together, the "Services").


Document	Public Privacy Policy (UK GDPR + US / CCPA-aware)
Version	v1.0
Effective date	[Effective date — DD Month 2026]
Last updated	[DD Month 2026]
Owner	[GaugeTrace Ltd] — Data Protection lead
Related documents	Data Processing Agreement (DPA), Cookie Policy, Terms of Service, End User Licence Agreement (EULA), Hardware & Calibration Terms

1. Introduction — who we are and what this notice covers

This Privacy Policy explains how [GaugeTrace Ltd] ("GaugeTrace", "we", "us", "our") collects, uses, shares and protects personal data when you visit our website, create or use an account, use our mobile and web applications, purchase or use our smart-gauge hardware kits, or otherwise interact with us.

GaugeTrace provides an offline-capable smart wireless-gauge evidence platform for pressure testing. Our first module is PoolGauge IQ (pool and spa pressure testing). The platform captures guided test steps, settling and test windows, Bluetooth Low Energy (BLE) or manual pressure readings, GPS coordinates, timestamps, technician identity, calibration status, customer e-signatures, and produces branded pass / fail / needs-review reports.

Important — our pass / fail / needs-review output is decision-support evidence, not a certified inspection, engineering certification, or legal determination. Our customers and their licensed professionals remain responsible for final test interpretation and any regulatory sign-off. This affects whose data we hold and in what role (see Section 3).

Who this notice is for. This notice is written for:

Website visitors and prospective customers;
Account holders and authorised users of the Services (company admins, office staff, and field technicians employed or engaged by our business customers);
Hardware purchasers of GaugeTrace-bundled BLE smart-gauge kits;
US-based individuals (see Section 9 for California / CCPA-specific rights and our US-customer posture).

Who this notice is not the primary notice for. Where you are an end-customer of one of our business customers (for example, a homeowner whose pool is being pressure-tested, or a site contact whose details appear on a test report), the business customer — not GaugeTrace — is the controller of that data. We handle that data as a processor on their instructions. Please refer to that business's own privacy notice. See Section 3.

2. Controller details and how to contact us

For personal data for which we are the controller (defined in Section 3), the data controller is:

Field	Detail
Legal entity	[GaugeTrace Ltd], a private company limited by shares incorporated in England and Wales
Company number	[company number]
Registered office	[registered office address]
ICO registration number	[ICO registration number]
Privacy / data protection contact	[privacy@gaugetrace.com]
Data Protection lead / DPO	[Name / "Data Protection Lead" — a statutory DPO is not currently mandatory; confirm with counsel and insert contact]
EU/UK representative	[Not currently appointed — confirm whether an Article 27 UK or EU representative is required and insert details]
Postal address for privacy requests	[registered office address], marked "Data Protection"

If you have any question about this notice or how we handle your personal data, contact us at [privacy@gaugetrace.com] in the first instance.

3. The controller / processor distinction — which role we are in

GaugeTrace operates in two different roles depending on whose data is involved. This is central to understanding your rights and the correct point of contact.

3.1 Where GaugeTrace is the controller

We determine the purposes and means of processing — and this Privacy Policy governs — for:

Account & identity data of our business customers and their authorised users (sign-up, authentication, profile, technician identity records, role and permission settings);
Billing & transaction data (subscription plan, seat counts, payment status, invoices, hardware orders);
Marketing & prospect data (enquiries, demo requests, newsletter subscribers, event leads);
Website-visitor data (analytics, cookies, device and usage data on our marketing site);
Support & correspondence data (tickets, emails, onboarding records).

3.2 Where GaugeTrace is a processor

We process on behalf of, and on the documented instructions of, our business customers (who are the controllers) for:

Customer & site PII entered or imported by our customers (their end-customer names, site addresses, contact details);
Pressure-test evidence (guided test steps, BLE/manual pressure readings, pass/fail/needs-review results, pressure traces);
Location, time and operator evidence (GPS coordinates, timestamps, technician identity attached to a test);
Calibration records associated with a test;
Customer e-signatures captured on reports.

For this processor data, the business customer is the controller. Our obligations are set out in our Data Processing Agreement (DPA), which forms part of our Terms of Service and lists the same sub-processors named in Section 7 of this notice. If you are an end-customer of one of our business customers and wish to exercise your rights over evidence data, please contact that business; we will assist them as their processor.

Plain-language summary: We are the controller for the people who hold accounts with us, pay us, and visit our website. We are a processor — a service provider acting on instructions — for the test evidence and end-customer data our business customers put into the platform.

4. Categories of personal data we collect, and sources

4.1 Data we collect as controller

Category	Examples	Source
Identity & account data	Name, business name, job role, username, technician identity, authentication identifiers, profile settings	You / your employer when an account is created; OAuth/SSO providers (Google, Microsoft/Azure) when you sign in
Contact data	Business email, phone number, postal/business address	You; enquiry forms; OAuth providers
Authentication data	Hashed credentials, SSO/SAML assertions, magic-link tokens, MFA status, session and login metadata	You; authentication providers; generated by the Services
Billing & transaction data	Plan tier (Basic/Pro/Enterprise), seat count, sector/integration add-ons, usage/overage counts, invoices, partial payment-card details (last 4 / brand — full card data held by Stripe, not us), hardware orders	You; Stripe; our order records
Usage & device data (app + dashboard)	Feature usage, in-app events, product analytics, app version, device type, OS, crash/error diagnostics	Generated automatically; Sentry; PostHog
Website-visitor data	IP address, approximate location, browser/device data, pages viewed, referring URL, cookie identifiers	Generated automatically on the website (see Cookie Policy)
Marketing & prospect data	Demo requests, enquiry content, marketing preferences, event/trade-show leads, communications history	You; our CRM; events; lawful third-party sources
Support data	Support tickets, correspondence, onboarding notes	You; our support tooling

4.2 Data we process as processor (controlled by our business customers)

Category	Examples	Source
End-customer & site PII	End-customer names, site addresses/postcodes, contact details	Entered/imported by our business customer or its technicians; CRM intake (e.g. Jobber/ServiceTitan via webhook)
Technician identity	Identity of the technician who performed a test	Our business customer
Location & time evidence	GPS coordinates, timestamps	Captured automatically during a test by the mobile app
Pressure-test evidence	Guided steps, BLE/manual readings, pressure traces, pass/fail/needs-review result, photos, field notes	Captured during the test
Calibration records	Smart-gauge calibration status, intervals, certificate references	Our business customer; hardware records
Customer e-signatures	Signature captured on a report	The end-customer signing on the technician's device

We do not intentionally collect special-category data (e.g. health, biometric, racial or political data) or rely on it for our own purposes. GPS coordinates relate to job sites, not to tracking individuals, and are captured as test evidence on our customers' instructions.

5. How and why we use personal data — purposes and UK GDPR lawful bases

The table below applies to data for which we are the controller. (For processor data, the lawful basis is determined by our business customer as controller; we act on their instructions under the DPA.)

Purpose	Personal data used	UK GDPR lawful basis
Create and administer your account; authenticate you (passwords, OAuth, SSO/SAML, magic links)	Identity, account, authentication data	Contract (Art. 6(1)(b)) — performance of our Terms with you/your employer
Provide, maintain and operate the Services	Identity, account, usage, device data	Contract; Legitimate interests (Art. 6(1)(f)) — running a secure, reliable service
Process subscriptions, seats, usage/overage, hardware orders and payments	Billing & transaction data	Contract; Legal obligation (Art. 6(1)(c)) for tax/accounting records
Provide customer support and onboarding	Identity, contact, support data	Contract; Legitimate interests — supporting customers
Product analytics, error monitoring, and improving the Services	Usage, device, diagnostic data	Legitimate interests — understanding and improving the product (balanced against your interests; you can object)
Security, fraud prevention, abuse detection, audit logging	Account, authentication, usage, device data	Legitimate interests — protecting the Services and users; Legal obligation where applicable
Send service / transactional communications (e.g. billing, security, important changes)	Identity, contact, billing data	Contract; Legitimate interests
Direct marketing, newsletters, product updates and event follow-up	Marketing & prospect, contact data	Consent (Art. 6(1)(a)) where required; Legitimate interests for existing-customer B2B marketing of similar products (soft opt-in), subject to an easy opt-out
Non-essential cookies and website analytics/tracking	Website-visitor, cookie data	Consent (Art. 6(1)(a)) — managed via our cookie banner (see Section 11 and the Cookie Policy)
Comply with legal, regulatory, tax and accounting obligations; establish/defend legal claims	As relevant	Legal obligation; Legitimate interests
Corporate transactions (e.g. financing, reorganisation, sale)	As relevant	Legitimate interests (subject to safeguards)

Legitimate interests balancing. Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You may ask for our balancing assessment, and you have the right to object (see Section 8).

Withdrawing consent. Where we rely on consent (marketing, non-essential cookies), you can withdraw it at any time without affecting prior processing — use the unsubscribe link, your cookie settings, or contact [privacy@gaugetrace.com].

6. How we share personal data

We share personal data only as needed to run the Services and our business:

With sub-processors and service providers (Section 7) under written contracts and appropriate safeguards;
With our business customers — for processor data, we make it available to the controlling business customer and their authorised users;
With authentication / SSO providers you choose to sign in with;
With professional advisers (lawyers, accountants, auditors, insurers) under confidentiality;
With authorities, regulators or courts where legally required, or to establish, exercise or defend legal claims;
In a corporate transaction (merger, acquisition, financing, asset sale), subject to confidentiality and this notice.

We do not sell your personal data, and we do not "sell" or "share" personal information for cross-context behavioural advertising as those terms are defined under California law (see Section 9).

7. Sub-processors and third-party providers (canonical list)

We use the following providers to deliver the Services. The same list is reflected in our DPA for processor data. Locations and transfer mechanisms are described in Section 8.

Provider	Purpose	Personal data categories handled	Location / region
Supabase	Primary hosting and data store — PostgreSQL database, Auth, Edge Functions, file/object storage	All account, evidence, billing-reference, file, signature and log data stored in the platform	United States (default region) — see UK→US transfer flag below
Stripe	Subscription billing, payment processing, Stripe Tax	Billing and transaction data, partial card data, taxpayer/location data	US / global (Stripe global infrastructure)
Google (Google OAuth)	Authentication / sign-in	Authentication identifiers, email, profile basics	US / global
Microsoft / Azure (OAuth, SAML SSO)	Authentication / enterprise sign-in (SSO)	Authentication identifiers, SSO/SAML assertions, email, profile basics	US / EU / global (per tenant)
Email magic-link sign-in	Passwordless authentication via email	Email address, sign-in tokens	Via our auth + email providers
Sentry	Error and crash monitoring	Diagnostic/error data, device data, limited identifiers (PII scrubbed where feasible)	US / EU (per configuration)
PostHog	Product analytics	Usage/event data, device data, pseudonymous identifiers	[US / EU region — confirm]
Transactional email provider — [Postmark / Resend]	Sending transactional and service emails	Email address, name, message content	[US / EU — confirm by provider]
CRM — [HubSpot]	Marketing, prospect and customer-relationship management	Contact, marketing and prospect data	[US / EU — confirm by provider]

This list may be updated as our providers change. We maintain a current sub-processor list and notify customers of material changes in accordance with the DPA. [Insert sub-processor change-notification mechanism / page URL.]

8. International data transfers

GaugeTrace is established in the United Kingdom, but our primary hosting and data store (Supabase) is, by default, in the United States, and several other providers (Stripe, Google, Microsoft, Sentry, PostHog, email, CRM) operate in the US or globally. Our customer base is primarily in the United States. As a result, personal data — including UK/EU-origin data — is transferred to and stored in the United States and may be accessed from other countries.

Where we transfer personal data outside the UK to a country without UK "adequacy", we put appropriate safeguards in place, which may include:

the UK International Data Transfer Agreement (IDTA), or
the EU Standard Contractual Clauses (SCCs) together with the UK International Data Transfer Addendum to the EU SCCs, and
supplementary technical and organisational measures (encryption in transit and at rest, access controls).

You can request a copy of the relevant transfer safeguards by emailing [privacy@gaugetrace.com] (we may redact commercial terms). For processor data, the equivalent transfer terms are set out in our DPA.

UK→US transfer flag: Supabase's default region is the US. The IDTA / EU SCCs + UK Addendum is the transfer mechanism relied on for this flow. [Confirm chosen mechanism and whether a UK/EU-region deployment is offered to specific customers.]

9. US-customer posture and California (CCPA/CPRA) rights

Our Services are governed by the laws of England and Wales (see the Terms of Service), but our customer base is primarily in the US Sun Belt. This section addresses US consumers and the distinction between business and consumer contexts.

Business vs consumer. GaugeTrace is a business-to-business service. Our account holders are businesses and their staff acting in an employment/business capacity; much of the data we hold is therefore B2B data. Some US state privacy laws treat business-contact and employee data differently from consumer data. Where you interact with us as a consumer (e.g. as an individual website visitor or an individual end-customer), the consumer protections below may apply. We monitor applicable US state privacy laws and apply them where their thresholds are met. [Confirm current applicability thresholds with counsel — CCPA/CPRA thresholds and other state laws change.]

California residents (CCPA/CPRA). Subject to verification and statutory exceptions, California residents have the right to:

Know / access the categories and specific pieces of personal information we have collected, the sources, purposes, and recipients;
Delete personal information we have collected (subject to exceptions);
Correct inaccurate personal information;
Opt out of "sale" or "sharing" of personal information and of cross-context behavioural advertising;
Limit use of sensitive personal information (we do not use sensitive PI for purposes requiring this right);
Non-discrimination for exercising your rights.

We do not sell your personal information, and we do not "share" personal information for cross-context behavioural advertising, as those terms are defined by the CCPA/CPRA. Because we do not sell or share, no "Do Not Sell or Share My Personal Information" opt-out action is required — but you may still contact us to confirm this status. [If any analytics/advertising cookie is later deemed a "sale"/"share", add a working "Do Not Sell or Share" link and Global Privacy Control honouring here.]

Where we act as a service provider under the CCPA (i.e. processing our business customers' end-customer data on their behalf), we process that data only on the business customer's instructions and do not retain, use or disclose it for any other purpose. Consumers should direct CCPA requests about evidence data to the business customer that controls it.

To exercise US rights, email [privacy@gaugetrace.com] or use the methods in Section 12. You may use an authorised agent. We will verify your identity before responding.

10. Data retention

We keep personal data only for as long as necessary for the purposes described, or as required by law. Indicative retention periods (for data we control):

Data class	Indicative retention
Account & identity data	For the life of the account, then [90 days] after account closure (then deleted or anonymised), unless longer retention is legally required
Authentication / session logs	[12 months] rolling
Billing, invoices & tax records	[6–7 years] to meet UK and US tax/accounting obligations
Marketing & prospect data	Until consent is withdrawn / opt-out, or [24 months] of inactivity, whichever is first
Website analytics & cookie data	Per cookie lifetimes in the Cookie Policy (typically [up to 13 months])
Product analytics / error logs (Sentry, PostHog)	[90 days – 12 months], minimised/pseudonymised where feasible
Support tickets & correspondence	[24–36 months] after resolution
Processor data (evidence, end-customer PII, signatures, calibration records)	Retained for the term of the customer's subscription and returned or deleted per the DPA on termination (typically within [30–90 days]), subject to the customer's own retention configuration

Evidence data may, by its nature, need to be retained to support a defensible audit trail; the retention period for evidence data is set by our business customer as controller. After applicable periods, we delete or irreversibly anonymise personal data.

11. Cookies and similar technologies

Our website and dashboard use cookies and similar technologies (e.g. local storage, analytics tags). Strictly necessary cookies are used to operate and secure the Services. Analytics, performance and marketing cookies are used only with your consent, collected via our cookie banner.

Full details — including each cookie's name, provider, purpose and lifetime, and how to change your choices — are in our Cookie Policy. You can change or withdraw your cookie consent at any time via the cookie settings link on our website.

12. Your data protection rights and how to exercise them

Subject to applicable law and verification, you have the right to:

Be informed about how we use your data (this notice);
Access your personal data and obtain a copy;
Rectify inaccurate or incomplete data;
Erase your data ("right to be forgotten"), where applicable;
Restrict processing in certain circumstances;
Data portability — receive certain data in a structured, machine-readable format;
Object to processing based on legitimate interests, and to direct marketing at any time;
Withdraw consent at any time where we rely on consent;
Not be subject to solely automated decisions producing legal or similarly significant effects (we do not carry out such automated decision-making about you);
California / US state rights as set out in Section 9.

How to exercise your rights. Email [privacy@gaugetrace.com], or write to us at the postal address in Section 2 marked "Data Protection". We will respond within one month (UK GDPR) or the applicable US statutory period, and may extend where permitted for complex requests. We may need to verify your identity. There is normally no charge, but we may charge a reasonable fee or refuse manifestly unfounded or excessive requests.

If you are an end-customer of one of our business customers, please direct rights requests over evidence/end-customer data to that business; we will support them as their processor.

13. Security

We take technical and organisational measures appropriate to the risk to protect personal data, including:

Encryption of data in transit (TLS) and at rest;
Multi-factor authentication, OAuth, SSO/SAML and magic-link authentication options;
Row-Level Security (RLS) and tenant isolation on our database, and role/permission-based access controls;
Audit logging and monitoring (including error monitoring via Sentry);
Least-privilege access for staff and vendor management of sub-processors;
An incident-response and breach-notification process (we notify the ICO within 72 hours and affected individuals where legally required).

No system is perfectly secure; we cannot guarantee absolute security, but we work continuously to protect your data. [Confirm current security baseline, on-device mobile encryption status, and breach runbook before publication.]

14. Children

The Services are intended for business users and professional use and are not directed to children. We do not knowingly collect personal data from anyone under 16 (UK GDPR) or under 13 (US COPPA). If you believe a child's data has been provided to us, contact [privacy@gaugetrace.com] and we will delete it.

15. Complaints and your right to the regulator

If you have a concern about how we handle your personal data, please contact us first at [privacy@gaugetrace.com] so we can try to resolve it.

You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom Helpline: 0303 123 1113 — Website: https://ico.org.uk

If you are in another country, you may also have the right to complain to your local data protection authority. California residents may contact the California Privacy Protection Agency or the California Attorney General.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new effective date and version number, and — where changes are material — we will provide additional notice (e.g. email or in-app notice). Your continued use of the Services after the effective date constitutes acceptance of the updated notice, to the extent permitted by law.

17. Definitions and related documents

Controller / Processor / Personal data / Special-category data have the meanings given in the UK GDPR and the Data Protection Act 2018.
"Sale" / "Share" / "Sensitive personal information" / "Service provider" have the meanings given in the CCPA/CPRA.
DPA — the GaugeTrace Data Processing Agreement, governing processor data.
Cookie Policy — details of cookies and tracking on our website.
Terms of Service / EULA / Hardware & Calibration Terms — the contractual terms for the Services and hardware.

End of Privacy Policy v1.0 — [Effective date]. Attorney-review draft — not legal advice; placeholders in [BRACKETS] must be completed before use.