Privacy Policy

Last updated: 14 June 2026

This policy explains how we collect, use and protect personal data when you use CostYa. It applies to tradespeople who hold a CostYa account and to the customers who submit job enquiries through a trade’s intake link. We process personal data in line with the UK GDPR and the Data Protection Act 2018.

Who we are

CostYa is a trading name of mt-deva limited, the data controller for the personal data described in this policy. We are registered in England and Wales under company number 15768175, with our registered office at 71-75 Shelton Street, London, WC2H 9JQ. For any privacy question, or to exercise your rights, contact us at [email protected].

Where a tradesperson submits their own customers’ data to CostYa, mt-deva acts as a processor on that trade’s behalf for that enquiry data, and the tradesperson is the controller of it. For our own account, billing and analytics data we act as the controller.

The data we collect

We collect different data depending on how you use CostYa.

• Account and business data (for tradespeople): your name, email address, business name, trade, service area or postcode, pricing settings and WhatsApp number.
• Customer enquiry data (for customers who submit a job): the job description, any uploaded photos, your contact details, your location or postcode and the WhatsApp messages exchanged about the job.
• Technical and usage data (for everyone): your IP address, device and browser information, cookies and analytics events about how you use the service.

How we use your data and our legal bases

Under the UK GDPR we must have a legal basis for using your personal data. The bases we rely on are set out below.

• Providing the service and processing enquiries into indicative budget ranges. Legal basis: performance of a contract and our legitimate interests in running the service.
• Sending WhatsApp messages between trades and customers. Legal basis: performance of a contract.
• Billing and subscriptions for tradespeople. Legal basis: performance of a contract.
• Product analytics and improvement. Legal basis: our legitimate interests in understanding and improving the service.
• Security and fraud prevention. Legal basis: our legitimate interests in keeping the service safe.
• Legal compliance, including responding to lawful requests. Legal basis: compliance with a legal obligation.

Automated processing of job details

Job details and uploaded photos are processed by a third-party AI service (Google Vertex AI) to generate indicative budget ranges. These ranges are estimates, not binding quotes. A person (the tradesperson) always makes the final decision about whether and how to respond, so there is no solely automated decision that produces legal effects, or similarly significant effects, for the customer.

Who we share data with

We use trusted third parties (sub-processors) to run CostYa. They process personal data on our instructions and only as needed to deliver the service.

• Twilio, for WhatsApp messaging.
• Neon, for database hosting (AWS London region).
• Cloudflare, for content delivery, DNS and R2 object storage of uploaded photos.
• Cloudinary, for image processing.
• Inngest, for background job processing.
• Google Cloud and Vertex AI, for AI estimation, and Google, for sign-in.
• PostHog, for product analytics.
• Sentry, for error monitoring.
• Polar, for payment processing.
• Railway, for application hosting.

This list may be updated from time to time, and a current list is available on request. We may also share data where we are required to by law, or to protect our rights.

International transfers

Some of our sub-processors are based outside the UK and the EEA. Where personal data is transferred outside the UK, we make sure it is protected by appropriate safeguards, such as the UK International Data Transfer Agreement or Standard Contractual Clauses.

How long we keep data

We keep account data while your account is active and for a reasonable period afterwards. We keep enquiry data and photos for as long as needed to provide the service, and then delete or anonymise them. We keep analytics data for a limited period.

Your rights

Under the UK GDPR you have the right to access your personal data, and to ask us to correct, erase or restrict it. You also have the right to data portability, the right to object to certain processing and the right to withdraw consent where we rely on it. To exercise any of these rights, contact us at [email protected].

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

Cookies

We use essential cookies for sign-in, sessions and security (including Cloudflare Turnstile). We also use analytics cookies (PostHog) to understand how the service is used, and error monitoring (Sentry) to help us fix problems.

Children

CostYa is a business tool and is not intended for use by anyone under 18. We do not knowingly collect data from children.

Changes to this policy

We may update this policy from time to time. When we do, we will revise the ‘last updated’ date at the top of this page.

© 2026 CostYa · How it works · Privacy · Terms · About · [email protected]

CostYa is a trading name of mt-deva limited, registered in England and Wales (No. 15768175).