How we handle your data.

“BRIDGE” is a trading name and product of Arcane Automations Ltd, a company registered in England and Wales. Arcane Automations Ltd is the data controller for personal data processed via this site under the UK GDPR and the Data Protection Act 2018.

Privacy contact, data-subject requests, and breach notifications: support@bridgewire.co.uk.

What we hold depends on your role on the platform.

All users

• Account — name, email, password hash, role, email-verification status, suspension status.
• Authentication — sign-in events, the IP address and user-agent of each session, password-reset and account-claim tokens.
• Communications — messages sent through on-platform chat, support tickets, and metadata of email or SMS we have dispatched to you.
• Notifications — in-app notification records.

Learners

• First name, last name, phone number, postcode and a derived latitude/longitude pair, qualifications, prior gas-trade experience (free text), transport status, hours-per-week availability, profile photo.
• ACS Practice attempts and answer history (used to calculate scores and to detect attempt-integrity issues).
• Match history, job-completion records, and your signature on each completion (stored as a base64 image, up to 200KB).

Mentors

• Trading name, sole-trader / limited company status, Companies House number where applicable, trading address, postcode and derived latitude/longitude, website, contact name and phone, biography, capacity, profile photo.
• Gas Safe registration number, registered engineer name, categories of gas work, Gas Safe expiry date.
• Public liability insurance certificate and expiry, qualification documents you upload.
• Stripe Connect account identifier and status (the underlying bank, identity, and KYC data is held by Stripe — see Section 5).

Training centres

• Companies House number, registered company name, registered and trading addresses, postcode and derived latitude/longitude, website, contact name and role, phone, billing contact, VAT number, purchase-order preference.
• Accreditation body and approval number, accreditation expiry date, accreditation and insurance documents you upload.
• Stripe Customer Balance funding details (sort code, account number and reference) cached from Stripe for display.
• For cashout requests: bank sort code, bank account number, and account holder name (held only on the cashout request record; never written to audit logs).

We rely on the following lawful bases under UK GDPR Article 6:

• Performance of a contract — registering you, running the matching service, taking payment, paying out mentors, providing on-platform messaging, and supplying ACS Practice or other purchased products.
• Legitimate interests — vetting registrants, preventing fraud, securing the platform, retaining audit and financial records to defend against disputes, and inviting learners on behalf of training centres with whom they have an existing relationship (the training centre is delegating to BRIDGE the matching task it would otherwise perform itself; we consider this a balanced and expected use of contact details).
• Legal obligation — keeping accounting records (HMRC, six years), responding to lawful regulator requests, and applying anti-fraud and anti-money-laundering controls.
• Consent — opt-in for non-essential cookies (when added) and SMS notifications via your profile toggle. Consent can be withdrawn at any time without affecting earlier processing.

BRIDGE does not intentionally collect special category data (health, race, religion, biometrics, etc.). Please do not include such data in profile fields, free-text experience, support tickets, or messages. If you do, we will treat it as voluntary and process it under explicit consent until you ask us to remove it.

We share personal data with the following processors strictly as needed to operate the service. Each is bound by its own published terms and security commitments. We do not sell personal data and we do not run third-party advertising on the platform.

• Stripe Payments UK Ltd / Stripe Inc. — Stripe Checkout, Stripe Connect Express (mentor payouts, including identity, address, date-of-birth and bank details collected directly by Stripe), Stripe Customer Balance for training-centre BACS funding, and webhooks for reconciliation.
• Resend — transactional email delivery (welcome, account-claim links, vetting, payment receipts, support ticket replies).
• Twilio — outbound SMS for transactional notifications, sent only where you have opted in via your profile.
• Google LLC — “Sign in with Google” OAuth identity provider; Google shares your email, name, and profile picture with us when you choose this option.
• Postcodes.io — UK postcode-to-coordinates lookup; we send only the postcode, never identifiers.
• Companies House (UK government) — public company registry lookup for training-centre and mentor verification; we send only the company number.
• Amazon Web Services (S3) — encrypted storage of profile photos, qualification documents, and accreditation / insurance certificates.
• MongoDB Atlas — managed database hosting, EU West-1 (Dublin, Ireland).
• Railway — application hosting, europe-west4 (Amsterdam, Netherlands).

Where a processor is located outside the UK or EEA, transfers are covered by the UK International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses, or by an equivalent transfer mechanism approved by the ICO.

BRIDGE uses a small number of strictly-necessary cookies to keep you signed in and to remember basic preferences. We do not use advertising cookies. A cookie banner is shown on first visit, and a full breakdown is set out in our Cookies Policy.

We retain personal data for as long as your account is active and, afterwards, for as long as needed to comply with our legal and regulatory obligations and to defend against disputes. Specific retention windows:

• Account, profile, messages, notifications — retained for the lifetime of the account, then for up to seven years after closure.
• Financial records: orders, invoices, payments, BACS references, mentor payouts, cashouts — at least six years from the end of the relevant tax year, in line with HMRC rules; in practice retained for seven years.
• Match records, job completions, signatures — retained for seven years after match closure to defend against placement-related disputes and to audit mentor payouts.
• Audit logs — retained for seven years; bank details are intentionally excluded from audit logs.
• Profile photos and uploaded documents — held in S3 for the lifetime of the account; purged from S3 on account deletion.
• ACS Practice attempts and answers — retained for the lifetime of the account so that you can review past attempts; deleted on account deletion.
• Password-reset and account-claim tokens — short-lived (a few hours for resets, up to 7 days for first-time claims) and pruned routinely.

Where you ask us to delete an account before these windows elapse, we will retain the minimum data required by law (typically the financial records) and erase the rest.

We use industry-standard controls to protect personal data, including transport encryption (HTTPS), at-rest encryption on the managed database and on S3, hashed passwords (bcrypt, 12 rounds), short-lived authentication tokens, role-based access control, and a permanent audit log of administrator actions. No system can be guaranteed perfectly secure; if a breach affecting your data occurs we will notify you and the ICO as required by law.

Subject to the conditions in the UK GDPR, you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data erased (subject to retention obligations, see Section 7);
• restrict or object to certain processing;
• port your data to another provider in a structured format;
• withdraw consent for processing that relies on consent (without affecting earlier lawful processing);
• not be subject to a decision based solely on automated processing that produces a legal or similarly significant effect — vetting and matching decisions on BRIDGE always involve a human reviewer.

To exercise any of these rights, write to support@bridgewire.co.uk. We aim to respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

BRIDGE administrators can view all account data and may, with good cause, sign in as your account to investigate a support issue (“impersonation”). Every impersonation event is recorded in the audit log with the administrator’s identity. Administrator access is restricted to verified @bridgewire.co.uk staff accounts.

BRIDGE is not directed at children under 18 and we do not knowingly collect personal data from anyone under 18. If you believe we hold data on a child, write to support@bridgewire.co.uk and we will erase it.

We may update this policy from time to time. Material changes will be communicated by email to active users and announced via a banner in the dashboard. The “last updated” date at the top of this page indicates the current version.

For privacy questions, data-subject requests, or breach notifications, write to support@bridgewire.co.uk. We aim to respond within 30 days.