Privacy Policy
Plain English summary: We collect the minimum information needed to run PAT Manager. We don't sell your data, share it with advertisers, or use it for anything other than providing the service. You can request a copy or deletion of your data at any time by emailing privacy@pat-manager.uk.
1. Who we are
PAT Manager is operated by PAT Manager Ltd (referred to as "we", "us", or "our"). We are the data controller for personal data collected through this website and platform.
Contact: privacy@pat-manager.uk
Address: 12 High Street, Anytown, AB1 2CD
We are registered with the Information Commissioner's Office (ICO). Our UK ICO registration number is: [INSERT ICO NUMBER]. You can verify this at ico.org.uk.
2. What data we collect and why
Account registration
When you register — whether as a PAT testing company or as a client searching for one — we collect:
- Your name and email address
- Your business name, phone number and address (companies)
- Your postcode (used only to calculate distance to nearby companies)
- A hashed password (we never store passwords in plain text)
Legal basis: Contract performance — this information is necessary to provide you with an account and the service you have signed up for.
Test sessions and PAT records
PAT testing companies store client records, asset lists, test results and certificates through the platform. This data may include client contact details and site addresses.
Legal basis: Contract performance (between the PAT company and their client). PAT Manager acts as a data processor in this context — the PAT testing company is the data controller for their client records.
Payment information
We do not store card numbers or full payment details. Payments are processed by Stripe or PayPal, each of which are independently GDPR-compliant. We store only the transaction reference, amount and date.
Legal basis: Contract performance and legal obligation (7-year retention for HMRC requirements).
Security and audit logs
We log login attempts (successful and failed), including IP address, email entered and timestamp. This is used solely for security monitoring — detecting brute force attacks and investigating account compromises.
Legal basis: Legitimate interests — protecting the security of the platform and your account.
Cookies and sessions
We use a single session cookie to keep you logged in. This cookie:
- Contains only a random session identifier — no personal data
- Is set as HttpOnly (JavaScript cannot access it)
- Is set as SameSite=Strict (protects against cross-site attacks)
- Is set as Secure (only transmitted over HTTPS)
- Expires when you close your browser or sign out
We do not use analytics cookies, advertising cookies, or any third-party tracking. No cookie consent banner is required because we only use a strictly necessary functional cookie.
3. Who we share data with
| Party | What is shared | Why | Their privacy policy |
|---|---|---|---|
| Stripe | Your name and email (for card billing), payment amount | Processing subscription payments | stripe.com/gb/privacy |
| PayPal | Your name and email (for PayPal billing), payment amount | Processing subscription payments | paypal.com privacy |
| Postcodes.io | Your postcode only | Converting postcode to map coordinates for distance search. No personal data is transmitted — only the postcode string. | postcodes.io |
| Nobody else | — | We do not share data with advertisers, data brokers, analytics companies or any other third party. | — |
All data is stored on servers located in the United Kingdom or European Economic Area. No data is transferred outside the UK/EEA.
4. How long we keep your data
| Data type | Retention period | Reason |
|---|---|---|
| Account data (name, email) | Until you delete your account, then 30 days | Service delivery |
| PAT test records and certificates | 7 years from test date | Industry best practice; insurance and legal requirements |
| Payment records | 7 years | HMRC legal requirement |
| Security / login logs | 12 months | Security monitoring; proportionate to risk |
| Failed login attempts (IP) | 1 hour | Rate limiting only; auto-deleted |
| 2FA codes (emailed) | 10 minutes | Auto-expires by design |
| Messages and conversations | Until deleted by either party, or account closure + 30 days | Service delivery |
5. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of all personal data we hold about you
- Right to rectification — ask us to correct inaccurate data
- Right to erasure — ask us to delete your data (subject to legal retention requirements — we cannot delete payment records we are legally required to keep)
- Right to restriction — ask us to pause processing your data
- Right to portability — receive your data in a machine-readable format (we support CSV export of PAT records)
- Right to object — object to processing based on legitimate interests
- Right not to be subject to automated decisions — we do not make automated decisions with legal or significant effects
To exercise any of these rights, email privacy@pat-manager.uk. We will respond within 30 days. We may ask you to verify your identity before we can action a request.
6. Data security
We take the security of your data seriously. Measures include:
- All passwords hashed with bcrypt (industry standard, not reversible)
- 2FA available for all accounts (authenticator app or email)
- All traffic encrypted via HTTPS/TLS
- Session cookies are HttpOnly, SameSite=Strict and Secure
- Login rate limiting (brute force protection)
- Admin and database interfaces not exposed to the internet
- Daily encrypted database backups
In the event of a data breach that is likely to result in a risk to individuals, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR Article 33.
7. Data controller vs data processor
PAT Manager operates in two capacities:
- Data controller — for data relating to our own customers (PAT company accounts, billing, subscriptions)
- Data processor — for end-client data entered by PAT testing companies (their clients' contact details, asset records, test results). In this capacity the PAT testing company is the data controller and is responsible for having an appropriate legal basis to process their clients' data and for informing those clients about how their data is used.
PAT testing companies using this platform should ensure their own privacy policy covers the processing of client data through PAT Manager.
8. Children's data
PAT Manager is a business-to-business platform intended for use by adults in a professional capacity. We do not knowingly collect data from anyone under the age of 18. If you believe a minor has registered an account, please contact us at privacy@pat-manager.uk and we will delete the account.
9. Changes to this policy
We will update this policy if our data practices change. The date at the top of this page will always show when it was last revised. For significant changes affecting your rights, we will email registered users directly.
10. Complaints
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK Information Commissioner's Office:
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
We would appreciate the opportunity to resolve any concern directly before you contact the ICO — please email privacy@pat-manager.uk first.