PRIVACY POLICY

1. Who We Are

MUFEED LTD (“MUFEED”, “we”, “us”, or “our”) is the Data Controller for personal data processed through the MUFEED platform at www.mufeed.co.uk. We are registered in England and Wales (Company Number 10865845) and our registered office is located in Manchester, England.

We are committed to protecting your personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the MUFEED platform as a customer, provider, or visitor.

2. Personal Data We Collect

We collect the following categories of personal data:

• Identity data: Full name, date of birth (if provided for age verification).
• Contact data: Email address, phone number, city.
• Profile data: Username, biography, service categories, profile photograph, star rating, and reviews.
• Location data: Postcode and city (for job matching). We do not collect real-time GPS location data.
• Financial data: Payment information is processed directly by Stripe, our payment processor (PCI-DSS Level 1 certified). We store only non-sensitive payment references (e.g. Stripe payment intent IDs). We do not store card numbers.
• Visa and immigration data (optional, provider only): Visa type and self-declared weekly hours limit, provided voluntarily by providers to enable visa-compliant job matching. We do not collect or verify visa documents.
• Communications data: Messages sent between users on the MUFEED platform.
• Usage data: IP address, browser type, pages visited, timestamps, referral source.
• Technical data: Device type, operating system, browser version.

3. How We Use Your Data

We use your personal data for the following purposes and on the following legal bases under UK GDPR:

4. Data Retention

We retain your personal data for the following periods:

• Account data: Retained for 7 years after account closure to meet UK financial, tax, and legal obligations (Companies Act 2006; HMRC requirements).
• Transaction records: Retained for 7 years in line with UK financial recordkeeping requirements.
• Communications (messages): Retained for 2 years or until account closure, whichever comes first.
• Application logs and usage data: Retained for 90 days, then deleted or anonymised.
• Marketing consent records: Retained until you withdraw consent and for 3 years thereafter as evidence of consent.

5. Sharing Your Data

We share your personal data only in the following circumstances:

• Between users: When a job is matched, relevant profile information (name, rating, bio, city) is shared between the customer and provider to facilitate the booking.
• Stripe: For payment processing. Stripe acts as a data processor on our behalf and is PCI-DSS Level 1 certified. Stripe's privacy policy is available at stripe.com/privacy.
• Supabase: Our database and authentication infrastructure provider. Data is stored on EU/US servers under appropriate data transfer safeguards (Standard Contractual Clauses where applicable).
• Cloudflare: Used for hosting, content delivery, and DDoS protection. Cloudflare processes request metadata but does not have access to unencrypted user data.
• Legal authorities: We may disclose personal data to law enforcement or regulatory bodies where legally required.

We do not sell your personal data to third parties. We do not share your data with advertisers.

6. Your Rights

Under UK GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate personal data.
• Right to erasure (“right to be forgotten”): Request deletion of your personal data where there is no longer a lawful basis for processing. Note: we may need to retain some data to comply with legal obligations.
• Right to data portability: Receive your personal data in a structured, commonly used format.
• Right to restriction: Request that we restrict processing of your personal data in certain circumstances.
• Right to object: Object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any right, contact us at privacy@mufeed.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Cookies

We use the following categories of cookies:

• Strictly necessary: Session authentication tokens (Supabase), security cookies (Cloudflare __cf_bm). These cannot be disabled as they are required for platform operation.
• Functional: Cookie consent preference storage (mufeed_cookie_consent). Stores your cookie preferences locally.
• Analytics (with consent only): Anonymised usage analytics to understand platform performance. Only activated if you select “Accept All” in our cookie banner.

See our full Cookie Policy for details on specific cookies.

8. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include: TLS encryption in transit, AES-256 encryption at rest (via Supabase), Row Level Security policies on all database tables, and strict access controls. However, no internet transmission or electronic storage is 100% secure.

9. Contact

For all data protection enquiries, contact our Data Protection Lead at:
privacy@mufeed.co.uk

MUFEED LTD, Manchester, England, United Kingdom

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email and by posting the updated policy on this page with a revised effective date. Continued use of the platform after changes constitutes acceptance of the updated policy.