MossyKitBack to home

Privacy Policy

Last updated: 3 April 2026

1. Who we are

MossyKit is a quoting and job management platform for UK exterior cleaning businesses. MossyKit is operated by MossyKit Ltd. For the purposes of the UK GDPR, we are the data controller for the personal data we collect through the MossyKit platform.

Contact: privacy@mossykit.co.uk

2. What data we collect

Data we collect from you (the user / business owner)

  • Name, email address, phone number (account registration)
  • Business name, address, logo (business profile)
  • Bank details — sort code, account number, account name (for invoicing only — displayed on invoices you send)
  • Service configurations, pricing, and process descriptions
  • Usage data — pages visited, features used, last active timestamp

Data we collect about your customers

When you add customers to MossyKit and send them quotes, we process the following data on your behalf as a data processor:

  • Customer name, email, phone number, address
  • Quote and invoice details (services, pricing, dates)
  • Booking preferences (dates, times, notes)
  • Quote response actions (accepted, declined, viewed)

You are the data controller for your customers' personal data. You are responsible for having a lawful basis to process their data (typically legitimate interest or contract performance for quoting services they requested).

3. How we use your data

  • To provide the service — creating quotes, sending emails, generating invoices, managing bookings
  • To improve the service — usage analytics, feedback collection, error monitoring
  • To communicate with you — account notifications, quote generation cost tracking, follow-up emails
  • AI quote generation — quote details (services, m², pricing, customer first name) are sent to Anthropic's Claude API to generate quote text. No full customer contact details are sent to the AI.

4. Third-party processors

We share data with the following third-party services to operate MossyKit:

  • Supabase (database and authentication) — stores all account and customer data. EU region. Privacy policy
  • Resend (email delivery) — receives customer email addresses to deliver quotes, invoices, and follow-ups. Privacy policy
  • Anthropic (AI quote generation) — receives quote details (services, pricing, customer first name only) to generate quote text. No full contact details are shared. Privacy policy
  • Vercel (hosting) — serves the application. Privacy policy
  • Google Maps (satellite measurement) — receives address data for geocoding and map display. Privacy policy

5. Cookies and local storage

We use the following cookies and browser storage:

  • Authentication cookies (essential) — Supabase session cookies to keep you logged in
  • Impersonation cookie (essential, admin only) — used by super admin for account debugging
  • LocalStorage (functional) — walkthrough completion status, UI preferences

We do not use advertising cookies, tracking pixels, or analytics cookies.

6. Data retention

  • Account data — retained for as long as your account is active. Deleted within 30 days of account deletion.
  • Customer data — retained for as long as your account is active. You can delete individual customers at any time.
  • Quotes and invoices — retained for as long as your account is active. We recommend keeping these for your own tax records (HMRC requires 6 years).
  • Email delivery logs — retained by Resend per their retention policy.

7. Your rights (UK GDPR)

You have the right to:

  • Access — request a copy of all data we hold about you (available in Settings → Export Data)
  • Rectification — correct any inaccurate data (editable in Settings and Customer pages)
  • Erasure — delete your account and all associated data (available in Settings → Delete Account)
  • Data portability — export your data in a machine-readable format (available in Settings → Export Data)
  • Restriction — request we limit processing of your data
  • Object — object to processing based on legitimate interest

To exercise any of these rights, email privacy@mossykit.co.uk or use the self-service options in Settings.

8. Data security

All data is encrypted in transit (TLS) and at rest (AES-256 via Supabase). Access to production data is restricted to authorised personnel only. We use row-level security policies to ensure users can only access their own data.

9. Children

MossyKit is not intended for use by anyone under the age of 18. We do not knowingly collect data from children.

10. Changes to this policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or in-app notification. The "last updated" date at the top of this page indicates when the policy was last revised.

11. Contact

For privacy-related questions or requests, contact us at: privacy@mossykit.co.uk