Homechevron_rightPrivacy Policy

shieldYour Privacy

Privacy Policy

We believe in radical transparency. This policy is written in plain English — not legal jargon — and tells you exactly what we collect, why we collect it, and what we never do with your data.

Last updated: 30 March 2026

1. Who we are

TopTenTrades (toptentrades.com) is a UK ethical business directory. We verify and showcase UK businesses based on independently assessed social responsibility criteria. We do not accept payment for listings or ranking positions.

For the purposes of UK GDPR, TopTenTrades is the data controller for personal data submitted to this website.

mailTo contact us about your data: use our contact form and select General Enquiry.

2. Our principles

As an ethical business directory, we hold ourselves to the same standards we assess in others. Our data principles are:

  • Minimum collection. We only collect what we genuinely need to operate the service.
  • No selling. We will never sell, rent, or broker your personal data to any third party.
  • No advertising profiles. We do not build advertising profiles or share data with ad networks.
  • Privacy by design. Where possible, we anonymise or hash data at the point of collection (e.g. IP addresses are hashed immediately and the raw IP is never stored).
  • Plain language. We write our policies in plain English so you know exactly what you are agreeing to.

3. What we collect

We collect different data depending on how you interact with the site:

3a. Browsing the site (no account required)

When you browse TopTenTrades we collect minimal anonymous analytics. Specifically:

  • A one-way hashed version of your IP address (combined with a random salt). The raw IP is never stored and cannot be reverse-engineered.
  • The type of link you clicked (website, phone, or email) and which page you clicked from.
  • Your browser user-agent string (e.g. "Chrome on Windows").
  • The referring URL if you arrived from another site.

This data is used solely to measure how often ethical businesses receive referrals through the directory. No advertising or retargeting system ever receives this data.

3b. Submitting a nomination

When you nominate a business via /nominate we collect:

  • Business name, website, and Companies House number
  • The industry or trade sector
  • Supporting evidence text you provide for each scoring criterion
  • Your email address (optional) — used only to notify you of the outcome

3c. Submitting a contact form

When you use /contact we collect:

  • Your name and email address
  • Company name and phone number (optional)
  • The subject of your enquiry and your message

3d. Submitting a business report

When you report a listing via the report function on a business profile page we collect:

  • Your report content (the specific concern you are raising)
  • A reference to the business the report relates to

Reports are anonymous by design. We do not collect your name or contact details unless you choose to include them in the report text.

4. How we use it

We use the data we collect only for the following purposes:

  • Click analytics — to show verified businesses how many referrals they receive through the directory.
  • Nomination review — to assess and verify businesses nominated for listing.
  • Responding to enquiries — to reply to your contact form submission.
  • Investigating reports — to review concerns raised about listed businesses.
  • Service improvement — aggregate, anonymised usage patterns help us understand which features are working.

Our legal bases under UK GDPR are:

  • Legitimate interests — for anonymous click analytics and service improvement.
  • Contract / pre-contractual steps — for nomination and contact form processing.
  • Legal obligation — where we are required to retain records by law.

5. What we never do

blockSell your personal data to any third party
blockShare your data with advertising networks
blockBuild behavioural profiles for marketing purposes
blockUse your data to make automated decisions that affect you
blockStore raw IP addresses (we hash them immediately)
blockSend you unsolicited marketing emails
blockTransfer your data outside the UK without appropriate safeguards

6. Where data is stored

All data submitted to TopTenTrades is stored in a PostgreSQL database hosted by Supabase, in the eu-west-2 (London) AWS region. Your data does not leave the United Kingdom.

Supabase acts as a data processor on our behalf and is contractually bound to process data only in accordance with our instructions. They operate under industry-standard security controls including encryption at rest and in transit.

The TopTenTrades website is hosted on Vercel (UK/EU edge network). Vercel does not have access to your submitted personal data.

7. How long we keep it

Data typeRetention periodReason
Click events (hashed IP)12 monthsReferral analytics reporting
Nomination submissions3 yearsReview audit trail
Contact form submissions2 yearsCorrespondence record
Business reports3 yearsInvestigation audit trail

After the retention period, data is permanently deleted. You may request early deletion at any time — see Your rights below.

8. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

  • Right of access — you can request a copy of the personal data we hold about you.
  • Right to rectification — you can ask us to correct inaccurate data.
  • Right to erasure — you can ask us to delete your personal data ("right to be forgotten").
  • Right to restriction — you can ask us to restrict how we process your data in certain circumstances.
  • Right to object — you can object to processing based on legitimate interests.
  • Right to portability — you can request your data in a machine-readable format.

To exercise any of these rights, contact us. We will respond within 30 days and there is no charge for reasonable requests.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies & tracking

TopTenTrades uses no advertising cookies and no third-party tracking pixels. We do not use Google Analytics, Facebook Pixel, or any behavioural tracking service.

The only browser storage we use:

  • Session cookies set by our hosting infrastructure (Vercel) for basic request routing. These are strictly necessary and contain no personal data.
  • No persistent tracking cookies are set by TopTenTrades itself.

Our click analytics system fires a single server-side event when you click a business contact link. This event uses a hashed IP address and contains no cookie or persistent identifier.

10. Third-party services

We use a small number of third-party services to operate the site:

  • Supabase (database hosting, London region) — stores business listings, nominations, contact submissions, and anonymised analytics.
  • Vercel (website hosting, UK/EU edge) — serves the website. Does not access submitted personal data.
  • Google Fonts — serves typefaces used on the site. When your browser loads the page, it makes a request to Google's font CDN. Google's own privacy policy applies to this request. We load fonts via <link> tags to minimise the data sent.

We do not use any social media embeds, comment systems, or live chat tools that would track you across websites.

11. Children

TopTenTrades is a business directory intended for adults. We do not knowingly collect personal data from anyone under the age of 13. If you believe a child has submitted personal data to us, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this privacy policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We will not retroactively reduce your rights under any previous version of this policy without your explicit consent.

We encourage you to review this page periodically. Continued use of the site after a change constitutes acceptance of the updated policy.

13. Contact us

If you have any questions about this privacy policy, want to exercise your data rights, or have a concern about how we have handled your information, please get in touch:

mailContact form — select General Enquiry and mention privacy in your message.

We aim to respond to all privacy-related requests within 5 working days and to fulfil formal data rights requests within 30 calendar days as required by UK GDPR.