How we handle your data.

“BRIDGE” is a trading name and product of Arcane Automations Ltd, a company registered in England and Wales. Arcane Automations Ltd is the data controller for personal data processed via this site under the UK GDPR and the Data Protection Act 2018.

Privacy contact, data-subject requests, and breach notifications: support@bridgewire.co.uk.

What we hold depends on your role on the platform.

All users

• Account — name, email, password hash, role, email-verification status, suspension status.
• Authentication — sign-in events, the IP address and user-agent of each session, password-reset and account-claim tokens.
• Communications — messages sent through on-platform chat, support tickets, and metadata of email or SMS we have dispatched to you.
• Notifications — in-app notification records.

Learners

• First name, last name, phone number, postcode and a derived latitude/longitude pair, qualifications, prior gas-trade experience (free text), transport status, hours-per-week availability, profile photo.
• Gas Tight Revision attempts and answer history (used to calculate scores and to detect attempt-integrity issues).
• Match history, job-completion records, and your signature on each completion (stored as a base64 image, up to 200KB).

Mentors

• Trading name, sole-trader / limited company status, Companies House number where applicable, trading address, postcode and derived latitude/longitude, website, contact name and phone, biography, capacity, profile photo.
• Gas Safe registration number, registered engineer name, categories of gas work, Gas Safe expiry date.
• Public liability insurance certificate and expiry, qualification documents you upload.
• Stripe Connect account identifier and status (the underlying bank, identity, and KYC data is held by Stripe — see Section 5).

Training centres

• Companies House number, registered company name, registered and trading addresses, postcode and derived latitude/longitude, website, contact name and role, phone, billing contact, VAT number, purchase-order preference.
• Accreditation body and approval number, accreditation expiry date, accreditation and insurance documents you upload.
• Stripe Customer Balance funding details (sort code, account number and reference) cached from Stripe for display.
• For cashout requests: bank sort code, bank account number, and account holder name (held only on the cashout request record; never written to audit logs).

We rely on the following lawful bases under UK GDPR Article 6:

• Performance of a contract — registering you, running the matching service, taking payment, paying out mentors, providing on-platform messaging, and supplying Gas Tight Revision or other purchased products.
• Legitimate interests — vetting registrants, preventing fraud, securing the platform, retaining audit and financial records to defend against disputes, and inviting learners on behalf of training centres with whom they have an existing relationship (the training centre is delegating to BRIDGE the matching task it would otherwise perform itself; we consider this a balanced and expected use of contact details).
• Legal obligation — keeping accounting records (HMRC, six years), responding to lawful regulator requests, and applying anti-fraud and anti-money-laundering controls.
• Consent — opt-in for non-essential cookies (when added) and SMS notifications via your profile toggle. Consent can be withdrawn at any time without affecting earlier processing.

BRIDGE does not intentionally collect special category data (health, race, religion, biometrics, etc.). Please do not include such data in profile fields, free-text experience, support tickets, or messages. If you do, we will treat it as voluntary and process it under explicit consent until you ask us to remove it.

We share personal data with third-party processors who act on our behalf strictly as needed to operate the service. Each processor is bound by a written data-processing agreement and its own published security commitments. We do not sell personal data and we do not run third-party advertising on the platform.

The categories of processor we use are:

• Payments and payouts — card processing, BACS collection, Connect onboarding and payouts to mentors, virtual card issuance, payment reconciliation.
• Email and SMS delivery — transactional and marketing email, opt-in SMS notifications.
• Identity, fraud and KYC providers — verification of identity documents, sanctions and PEP screening, fraud scoring (carried out by our payments partner on our behalf).
• Cloud hosting and storage — application hosting, managed database, encrypted document and image storage, edge / DNS protection.
• Authentication providers — “Sign in with Google” OAuth identity provider; Google shares your email, name, and profile picture with us when you choose this option.
• Public registry lookups — UK Companies House (registered company verification) and Postcodes.io (postcode geocoding); only the company number or postcode is sent, never personal identifiers.
• Customer support and ticketing — inbound customer email handling and support-ticket workflow.
• Tax-reporting partners — annual reporting to HM Revenue & Customs under the Model Reporting Rules for Digital Platforms (DAC7 / MRDP). See section 13.

A current, named list of our sub-processors — including the legal entity, the purpose, and the country in which each operates — is published at bridgewire.co.uk/sub-processors and updated whenever we change the underlying vendor. Where a processor is located outside the UK or EEA, transfers are covered by the UK International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses, or by an equivalent transfer mechanism approved by the ICO.

BRIDGE uses a small number of strictly-necessary cookies to keep you signed in and to remember basic preferences. With your consent (“Accept all” on the cookie banner) we also use PostHog (EU) for privacy-masked product analytics to understand and improve how the platform is used; it is never loaded if you choose “Essential only”. We do not use advertising cookies. A cookie banner is shown on first visit, and a full breakdown is set out in our Cookies Policy.

We retain personal data for as long as your account is active and, afterwards, for as long as needed to comply with our legal and regulatory obligations and to defend against disputes. Specific retention windows:

• Account, profile, messages, notifications — retained for the lifetime of the account, then for up to seven years after closure.
• Financial records: orders, invoices, payments, BACS references, mentor payouts, cashouts — at least six years from the end of the relevant tax year, in line with HMRC rules; in practice retained for seven years.
• Match records, job completions, signatures — retained for seven years after match closure to defend against placement-related disputes and to audit mentor payouts.
• Audit logs — retained for seven years; bank details are intentionally excluded from audit logs.
• Profile photos and uploaded documents — held in S3 for the lifetime of the account; purged from S3 on account deletion.
• Gas Tight Revision attempts and answers — retained for the lifetime of the account so that you can review past attempts; deleted on account deletion.
• Password-reset and account-claim tokens — short-lived (a few hours for resets, up to 7 days for first-time claims) and pruned routinely.

Where you ask us to delete an account before these windows elapse, we will retain the minimum data required by law (typically the financial records) and erase the rest.

We use industry-standard controls to protect personal data, including transport encryption (HTTPS), at-rest encryption on the managed database and on S3, hashed passwords (bcrypt, 12 rounds), short-lived authentication tokens, role-based access control, and a permanent audit log of administrator actions. No system can be guaranteed perfectly secure; if a breach affecting your data occurs we will notify you and the ICO as required by law.

Subject to the conditions in the UK GDPR, you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data erased (subject to retention obligations, see Section 7);
• restrict or object to certain processing;
• port your data to another provider in a structured format;
• withdraw consent for processing that relies on consent (without affecting earlier lawful processing);
• not be subject to a decision based solely on automated processing that produces a legal or similarly significant effect — vetting and matching decisions on BRIDGE always involve a human reviewer.

To exercise any of these rights, write to support@bridgewire.co.uk. We aim to respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

BRIDGE administrators can view all account data and may, with good cause, sign in as your account to investigate a support issue (“impersonation”). Every impersonation event is recorded in the audit log with the administrator’s identity. Administrator access is restricted to verified @bridgewire.co.uk staff accounts.

BRIDGE is not directed at children under 18 and we do not knowingly collect personal data from anyone under 18. If you believe we hold data on a child, write to support@bridgewire.co.uk and we will erase it.

We may update this policy from time to time. Material changes will be communicated by email to active users and announced via a banner in the dashboard. The “last updated” date at the top of this page indicates the current version.

For privacy questions, data-subject requests, or breach notifications, write to support@bridgewire.co.uk. We aim to respond within 30 days.