Effective Date: March 24, 2026 | Last Updated: March 24, 2026
Trabizo ("we", "us", "our") is a mobile application designed to help tradespeople manage their businesses — including jobs, invoices, expenses, contacts, quotes, calendars, and time tracking.
Data Controller:
For the purposes of the EU General Data Protection Regulation (GDPR), Marc Griffin Mayor is the data controller responsible for your personal data.
| Category | Data | Purpose |
|---|---|---|
| Account Information | Name, email address, password (hashed and stored by Firebase Authentication) | Account creation, authentication, and communication |
| Business Information | Business name, trade/industry, phone number, business address, tax identification number (NIF/CIF), license number | Personalising the app, generating invoices and quotes, business operations |
| Contact/Customer Data | Customer names, phone numbers, email addresses, postal addresses, notes, tags | Customer relationship management, job and invoice linkage |
| Financial Data | Invoices, expenses, materials, quotes, hourly rates, tax rates, payment records | Business accounting, tax calculations, financial reporting |
| Operational Data | Jobs, calendar events, time entries, availability blocks, job templates, maintenance schedules | Job management, scheduling, time tracking |
| Photos & Files | Receipt images, job site photos, business logos, generated PDF invoices and quotes | Record-keeping, invoice branding, documentation |
| Category | Data | Purpose |
|---|---|---|
| Analytics Data | Screen views, feature usage, session duration, interaction events | Understanding usage patterns, improving the app |
| Crash & Diagnostic Data | Crash logs, stack traces, device model, operating system version, app version | Identifying and fixing bugs, improving stability |
| Authentication Tokens | Session tokens, refresh tokens, push notification tokens (planned) | Maintaining authenticated sessions, sending notifications |
We use your personal data exclusively to:
We do NOT:
Under Article 6(1) of the GDPR, we process your personal data on the following legal bases:
| Legal Basis | Data Categories | Explanation |
|---|---|---|
| Performance of Contract (Art. 6(1)(b)) |
Account, business, contacts, financial, operational data, photos | Processing is necessary to provide the Trabizo service as agreed in our Terms of Service. Without this data, we cannot deliver the core functionality of the app. |
| Legitimate Interest (Art. 6(1)(f)) |
Analytics data, crash/diagnostic data | We have a legitimate interest in understanding how the app is used and in maintaining its stability and security. This processing is proportionate and does not override your rights — data is anonymised or aggregated where feasible. |
| Consent (Art. 6(1)(a)) |
Push notification tokens (planned), optional analytics | Where required by law (e.g., push notifications on iOS), we obtain your explicit consent before processing. You may withdraw consent at any time. |
| Legal Obligation (Art. 6(1)(c)) |
Financial data, invoices, tax records | Spanish and EU tax law may require us to retain certain financial records. We process this data to comply with applicable legal requirements. |
We use the following third-party service providers to operate Trabizo. Each acts as a data processor under our instructions and is bound by data processing agreements:
| Provider | Service | Data Processed | Data Location |
|---|---|---|---|
| Google LLC (Firebase) | Firebase Authentication | Email, password hash, authentication tokens, Google account ID (if using Google Sign-In) | EU (eur3) |
| Google LLC (Firebase) | Cloud Firestore | All user-generated business data (jobs, invoices, contacts, expenses, quotes, time entries, settings) | EU (eur3) |
| Google LLC (Firebase) | Cloud Storage | Photos (receipts, job photos), business logos, generated PDF documents | EU (eur3) |
| Google LLC (Firebase) | Firebase Analytics | Usage events, screen views, session data (anonymised identifiers) | EU |
| Google LLC (Firebase) | Firebase Crashlytics | Crash reports, device model, OS version, app version, stack traces | EU |
| Google LLC | Google Sign-In (OAuth 2.0) | Name, email, Google account ID | EU/Global (Google infrastructure) |
| Expo (820 Inc.) | Push Notifications (planned) | Device push token, notification content | USA (with Standard Contractual Clauses) |
Google's GDPR commitments and Data Processing Terms apply to all Firebase services. See: firebase.google.com/support/privacy.
We do not share your personal data with any other third parties except where required by law.
Your core business data (Firestore, Storage, Authentication) is stored in Firebase's eur3 (Europe) multi-region and does not leave the European Economic Area (EEA).
For services that may involve data processing outside the EEA (such as Google's global infrastructure for Analytics/Crashlytics, and Expo for push notifications), the following safeguards are in place:
We will not transfer your data to any country outside the EEA without appropriate safeguards as required by GDPR Chapter V.
We retain your data only for as long as necessary to fulfil the purposes described in this policy:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Until you delete your account | Needed to provide the service |
| Business & operational data | Until you delete your account or individual records | Core service functionality |
| Financial data (invoices, expenses) | Until account deletion, subject to legal minimums | Spanish tax law may require retention for up to 5 years (Ley General Tributaria) or 6 years (Código de Comercio) after the financial year |
| Contact/customer data | Until you delete individual contacts or your account | Customer relationship management |
| Photos & files | Until you delete individual files or your account | Record-keeping |
| Analytics data | 14 months (Firebase Analytics default) | Usage analysis; automatically purged by Firebase |
| Crash data | 90 days (Crashlytics default) | Bug diagnosis; automatically purged by Firebase |
When you request account deletion, we will delete all your personal data within 30 days, except where retention is legally required (e.g., financial records under Spanish tax law). Legally required data will be retained for the minimum statutory period and then permanently deleted.
As a data subject under the GDPR, you have the following rights:
| Right | Description |
|---|---|
| Right of Access (Art. 15) | You can request a copy of all personal data we hold about you, including the purposes of processing and categories of data. |
| Right to Rectification (Art. 16) | You can correct inaccurate personal data or complete incomplete data. Most data can be edited directly in the app. |
| Right to Erasure (Art. 17) | You can request deletion of your personal data. This applies when the data is no longer necessary, you withdraw consent, or you object to processing. Subject to legal retention requirements. |
| Right to Restriction (Art. 18) | You can request that we restrict the processing of your data while we verify its accuracy, resolve an objection, or if processing is unlawful but you oppose erasure. |
| Right to Data Portability (Art. 20) | You can request your data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) and have it transmitted to another controller. |
| Right to Object (Art. 21) | You can object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests. |
| Right to Withdraw Consent (Art. 7(3)) | Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. |
| Right Not to Be Subject to Automated Decision-Making (Art. 22) | You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects. Trabizo does not engage in such processing. |
To exercise any of the above rights:
Exercising your rights is free of charge. However, we may charge a reasonable fee or refuse manifestly unfounded or excessive requests, as permitted under Article 12(5).
Some rights can also be exercised directly in the app:
We take data security seriously and implement the following measures:
While we employ commercially reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:
Trabizo is a business management tool intended for use by adults (tradespeople and business owners). We do not knowingly collect personal data from children under the age of 16 (the age of digital consent in Spain under the LOPDGDD).
If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at marcgriffinmayor@gmail.com.
Mobile App: The Trabizo mobile app does not use cookies. Firebase services may use device-level identifiers for analytics and crash reporting, as described in Section 2.2.
Web Version (future): If and when a web version of Trabizo is made available, it may use the following categories of cookies:
| Type | Purpose | Legal Basis |
|---|---|---|
| Strictly Necessary | Authentication session, security tokens | Legitimate interest (essential for service operation) |
| Functional | User preferences, language settings | Legitimate interest |
| Analytics | Usage statistics via Firebase Analytics | Consent (opt-in cookie banner) |
The web version will include a cookie consent banner compliant with the ePrivacy Directive and Spanish LSSI-CE. You will be able to manage your cookie preferences at any time.
Trabizo does not use automated decision-making or profiling as defined under GDPR Article 22. No decisions with legal or similarly significant effects are made about you based solely on automated processing.
Features such as "Duration Hints" (estimated job duration based on historical data) are informational suggestions only and do not produce legal or significant effects.
We may update this Privacy Policy from time to time. When we make changes:
Continued use of the app after the effective date of a revised policy constitutes acceptance of the changes. If you do not agree with the updated policy, you may delete your account at any time.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Spain, the competent authority is:
We kindly ask that you contact us first at marcgriffinmayor@gmail.com so we can try to resolve your concern directly.
For any questions, concerns, or requests regarding this Privacy Policy or your personal data:
We aim to respond to all enquiries within 5 business days, and to formal GDPR requests within the legally mandated 30-day period.