Privacy Policy

The Platform operator (identified in the admin portal) is the data controller for personal data processed through FMan. Where you belong to an organisation that uses FMan, that organisation may act as a separate data controller or joint controller for the data it enters about you. In such cases, your organisation's own privacy notice may also apply.

If you are unsure who controls your data, contact your Workspace Administrator in the first instance.

We collect the following categories of personal data:

• Account data — full name, email address, phone number, and hashed password, collected when an account is created or an invitation is accepted. We never store plaintext passwords.
• Authentication data — TOTP secret (encrypted at rest with AES-256-GCM), login timestamps, magic-link token hashes, session metadata, and mobile push tokens. This data is used solely for authentication and session management.
• Organisational membership — your role, active status, and association with one or more Workspaces.
• Operational data — tickets, jobs, engineer reports, quotes, invoices, site records, asset records, comments, schedule entries, and status histories you create or are referenced in as part of normal Platform use.
• Payment data — payment status, Stripe-generated references, and transaction amounts. Card details are processed directly by Stripe using their PCI DSS compliant infrastructure and are never transmitted to or stored on our servers.
• Uploaded files — photographs, documents, signatures, and other attachments you upload as part of job evidence, reporting, or communication.
• Usage and audit data — activity events, audit log entries, and access records generated automatically as you use the Platform. These are used for security monitoring and regulatory compliance.
• Technical data — IP address, browser user-agent string, and device information captured in server logs. We do not use this data for tracking or profiling.

We process your personal data for the following purposes:

• Service delivery — authenticating your identity, managing your account security settings, and operating the facilities management platform.
• Communication — sending transactional notifications (email, push, and SMS where configured) about work you are involved in, such as job assignments, report submissions, invoice reminders, and status updates.
• Payment processing — facilitating invoice payments via Stripe, recording transaction outcomes, and reconciling accounts.
• Security and compliance — detecting and preventing fraud, abuse, and security incidents; maintaining audit trails for legal and contractual compliance.
• Platform improvement — analysing aggregate, anonymised usage patterns to improve performance, reliability, and user experience. We do not use individual personal data for this purpose.

We rely on the following legal bases under the UK General Data Protection Regulation (UK GDPR):

• Performance of a contract (Article 6(1)(b)) — processing necessary to deliver the Platform service you or your organisation have signed up for, including account management, service operation, and payment processing.
• Legitimate interests (Article 6(1)(f)) — security monitoring, fraud prevention, audit logging, and Platform improvement, where these interests do not override your fundamental rights and freedoms.
• Legal obligation (Article 6(1)(c)) — retaining financial records, invoices, and audit data as required by tax, employment, or health and safety legislation.
• Consent (Article 6(1)(a)) — push notification delivery, where you have explicitly registered a device. You can withdraw consent at any time by removing the device from the Security page.

We share personal data only with third-party service providers necessary to operate the Platform. We do not sell, rent, or trade your personal data. Our providers are:

• Database hosting (Neon) — stores all Platform data in encrypted PostgreSQL databases.
• Object storage (Cloudflare R2 / AWS S3) — stores uploaded files and attachments with server-side encryption.
• Email delivery (Resend) — sends transactional emails on our behalf. Only the recipient address and email content are shared.
• Payment processing (Stripe) — processes card payments under Stripe's own privacy policy. Card details are never transmitted to our servers.
• Push notifications (Expo) — delivers mobile alerts. Only push tokens and notification content are shared.
• Application hosting (Railway) — runs the Platform application code. Railway has access to server logs containing technical data.

All providers are contractually bound to process data only for the purposes we specify and are required to implement appropriate security measures.

We may also disclose data where required by law, court order, or regulatory request, or to protect the safety and rights of our Users or the public.

FMan uses strictly-necessary cookies for authentication. The primary session cookie (fm_app_session) is:

• httpOnly — cannot be accessed by client-side JavaScript
• secure — transmitted only over HTTPS in production
• sameSite: lax — scoped to the Platform domain
• Expires after seven days of inactivity

We do not use advertising, analytics, or tracking cookies. We store a single localStorage flag (fman_cookie_notice_dismissed) to remember whether you have dismissed the cookie notice banner. No consent is required for strictly necessary cookies under UK GDPR / the Privacy and Electronic Communications Regulations 2003.

We retain personal data for the following periods:

• Account and credential data — retained while your account is active. Deleted immediately upon account deletion.
• Session and authentication data — sessions expire after seven days. Magic-link tokens expire after 15 minutes. TOTP secrets are deleted on account deletion.
• Operational records (tickets, jobs, reports, invoices) — retained for a minimum of six years after the relevant work is completed, to satisfy legal, tax, and contractual obligations.
• Audit logs — retained for a minimum of three years.
• Uploaded files — retained for the same period as the operational record they are attached to.
• Server logs — automatically rotated and deleted after 30 days.

When you delete your account, your personal identifiers (name, email, phone, credentials) are removed immediately. References to your profile in historical records are anonymised — replaced with "Deleted User" — so the audit trail remains intact without being attributable to you.

Our primary database is hosted in the EU West (London) region. Some third-party providers may process data outside the UK or European Economic Area. Where this occurs, we rely on appropriate safeguards including:

• UK International Data Transfer Agreements (IDTAs)
• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the UK Secretary of State or the ICO

You have the following rights in relation to your personal data:

• Right of access — request a copy of the personal data we hold about you. Use the Download my data button on the Your data page for an instant export.
• Right to rectification — ask us to correct inaccurate or incomplete personal data. You can update your name, email, and phone directly in the Platform.
• Right to erasure — request deletion of your personal data where there is no overriding legal reason for us to retain it. Use the account deletion option on the Your data page. Note: active paid subscriptions must be cancelled before deletion is permitted.
• Right to restriction — ask us to restrict processing of your data in certain circumstances, for example while we verify the accuracy of data you have challenged.
• Right to data portability — receive your personal data in a structured, commonly used, machine-readable format (JSON), provided by the data export feature.
• Right to object — object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds.
• Right to withdraw consent — where processing is based on consent (e.g. push notifications), you can withdraw at any time from the Security page. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Rights relating to automated decision-making — we do not make solely automated decisions that produce legal or similarly significant effects on you.

To exercise any of these rights, use the in-app controls or contact us via the details in your Workspace admin portal. We will respond within one calendar month. If a request is complex, we may extend this by a further two months, but we will inform you of the extension and the reasons for it within the initial month.

We implement appropriate technical and organisational measures to protect personal data, including:

• Passwords hashed with scrypt (not reversible)
• TOTP secrets encrypted at rest with AES-256-GCM
• HMAC-signed, httpOnly session cookies
• HTTPS enforced in production (TLS 1.2+)
• Database connections encrypted with SSL
• Role-based access controls restricting data to authorised Workspaces
• Rate limiting on authentication endpoints
• Audit logging of security-sensitive operations

No system is completely secure. If you discover a security vulnerability, please report it to us responsibly through the contact details in the admin portal.

If you believe your data protection rights have been infringed, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

We encourage you to contact us first so we have an opportunity to address your concern directly.