Privacy Policy
Last updated: 20 June 2026
This policy explains how MainsMate collects, uses, stores and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Please read it alongside our Terms of Use.
1. Who we are
MainsMate is a UK-based software platform for gas mains replacement operational workflows. The service is provided by Rikki Howard, trading as MainsMate.
For any data protection enquiries, please contact us at rikki.howard89@gmail.com.
2. Controller and processor role
Depending on the context, MainsMate may act in different roles under data protection law:
- As a data controller — for its own account data, enquiry data, support communications, and platform administration.
- As a data processor — where a client company uses MainsMate to manage operational records relating to its own users, projects, customers or workforce. In that context, the client company is the controller and MainsMate processes data on their behalf.
Where MainsMate acts as a processor, the client company remains responsible for ensuring there is a lawful basis for processing and that data subjects have been informed appropriately.
3. What personal data we collect
We may collect or process the following categories of personal data:
- Account data: Email address and authentication credentials.
- Profile data: Full name, job role, EUSR/resource number, GasSafe registration number, company name, depot and related operative or manager details.
- Role and company membership: Which company or companies a user belongs to, their assigned role, and when they joined or accepted their invitation.
- Operational records: Forecast data, daily operations plans, project and street records, job pack data, mains and service measures, service testing logs, job reports, pre-site visit records and service checklists.
- Customer liaison data: Where entered into the platform, this may include customer names, contact details, address information, MPRN references, pre-site visit notes and vulnerability or PSR (Priority Services Register) flags.
- MPRN and address data: MPRN and address lookup data where the address lookup feature is used on site or in the office.
- Signatures: Digital signatures drawn in-app, stored as SVG data and used on exported documents such as job reports and certificates.
- GPS and location data: Where the head-tracker or GPS feature is used, grid reference coordinates and deployment data associated with operatives or assets.
- Uploaded files: Documents, images, certificates or other files uploaded to the company vault or shared document storage.
- Exports and reports: PDFs, CSVs, packaged exports or shared document links generated from platform data.
- Audit log data: Records of significant platform actions including record submissions, administrative changes and super-admin events.
- Support and enquiry data: Name, company, contact details and message content provided when submitting a demo request, access request or support enquiry.
- Device and session data: Limited device and session information used to maintain authentication and optimise the application experience.
- Offline and PWA data: Where the progressive web app (PWA) offline mode is enabled, a temporary local cache of work data may be stored on the device to support use in areas with limited connectivity.
4. How we collect data
We collect personal data in the following ways:
- Directly from you when you create an account, complete your profile, or submit an enquiry.
- When you use the platform — entering operational records, completing forms, uploading files, or drawing a signature.
- Automatically — limited session and authentication data is captured when you sign in.
- Via invitation — where a company admin invites you to join their company account.
5. Why we use data and lawful bases
- Contract performance
- To provide access to the platform, store and retrieve your work data, generate exports and certificates, and fulfil the service you or your employer has engaged.
- Legal obligation
- Where we are required to retain or share data by applicable law, regulation, or a lawful request from a competent authority.
- Legitimate interests
- To maintain platform security, investigate misuse, manage platform performance, and improve reliability. We do not use personally identifiable data for marketing analytics.
- Consent
- Where we ask for it — for example, for any non-essential cookie or tracking activity introduced in future.
6. Operational and company data
Operational records — including forecasts, daily ops plans, measures, testing logs, exports and audit trails — are stored at company level. Access is restricted to members of the relevant company account based on their assigned role.
Clients using MainsMate to manage their operational data remain responsible for ensuring their use of the platform is consistent with their own data protection obligations, including any obligations owed to their subcontractors, operatives or customers.
7. Customer liaison and vulnerable customer information
Where the platform is used to record pre-site visits, customer contact, or notes relating to vulnerable customers or PSR status, this data is entered by authorised company users and stored within the relevant company account.
This data is subject to the same company-scoped access controls as all other operational records. We recommend that client companies maintain their own policies for handling sensitive customer information and ensure their teams are trained accordingly.
8. Uploaded files, signatures, exports and shared document links
Files uploaded to the company vault and documents in shared storage are stored securely and are only accessible to authorised members of the relevant company.
Exported PDFs, CSVs and packaged job exports may contain personal data such as operative names, signatures, customer references, and address or MPRN information. These exports are generated by authorised users and it is the responsibility of the client company to handle them securely once downloaded.
Shared document links allow specific documents to be shared outside the platform. Where configured, these links may expire. Client companies should exercise care when sharing documents that contain personal data.
9. Device, session and offline data
Session data is used only for authentication and platform functionality. It is not used for advertising or cross-site tracking.
Where the offline/PWA mode is active, a temporary local cache of work data may be stored on the device. This data is used to support offline use and synchronised when connectivity is restored. Users should be aware that locally cached data remains on their device until the app cache is cleared.
10. Who we share data with
We do not sell personal data. We use the following sub-processors and infrastructure providers to operate the platform:
- Supabase
- Database, authentication, file storage and related infrastructure.
- Vercel
- Application hosting, delivery and edge infrastructure.
- Resend
- Transactional email delivery (e.g. invitations, notifications).
- Mapbox
- Mapping and location display where the mapping feature is used.
- Address lookup
- Address lookup and MPRN search where the address lookup feature is used. Provider subject to review.
- GitHub
- Source code management and deployment pipeline.
- Professional advisers
- Legal, financial or regulatory advisers where required.
- Authorities
- Regulatory or law enforcement bodies where we are legally required to disclose.
We select suppliers with appropriate security and data handling practices and review these arrangements as the platform develops.
11. International transfers and supplier safeguards
Some of our infrastructure providers may process data outside the UK or EEA. Where this applies, we rely on appropriate transfer safeguards such as UK adequacy regulations, standard contractual clauses, or binding corporate rules.
We do not confirm the specific hosting region for any individual supplier without verified information. If you have specific requirements regarding data residency, please contact us to discuss.
12. How we protect data
We apply the following technical and organisational measures:
- All connections to the platform use HTTPS/TLS encryption.
- Access to data is controlled by role-based access at company level.
- Each company account is logically separated — users cannot access another company's data.
- File storage access is restricted by company and role.
- Administrative and super-admin access requires database-level authorisation and is subject to audit logging.
- We review our security practices and supplier controls as the platform develops.
No system can guarantee absolute security. If you believe a security incident has occurred, please contact us immediately at rikki.howard89@gmail.com.
13. How long we keep data
Account and profile data is retained while the account is active. You may request deletion at any time — see Section 14.
Operational records entered by company users may be retained by the relevant client company for audit, safety, commercial, contractual or legal reasons. Deletion of a user account may not remove data where that data forms part of a company's audit history or safety records.
Shared document links may expire where configured by the company admin.
We are developing more granular retention controls as the platform matures. Retention schedules for specific data categories will be reviewed in line with applicable law and client requirements.
14. Your data protection rights
Under UK GDPR, you have the following rights (subject to applicable exemptions):
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate or incomplete data.
- Erasure: Request deletion of your personal data, subject to our legal obligations and the interests of other parties.
- Portability: Request a machine-readable copy of your personal data.
- Restriction: Ask us to pause processing in certain circumstances.
- Objection: Object to processing based on legitimate interests.
To exercise any right, contact rikki.howard89@gmail.com. We will respond within one calendar month.
Note: where MainsMate acts as a processor, your rights requests relating to operational records should be directed to the client company (the controller) in the first instance.
15. ICO complaint right
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.
ICO website: ico.org.uk — Helpline: 0303 123 1113.
We would always encourage you to contact us first so we have the opportunity to address your concerns.
16. Cookies
MainsMate uses essential session storage and cookies required for authentication and platform security. These are necessary for the service to function and cannot be disabled.
We do not currently use non-essential analytics or advertising cookies. If this changes, we will provide appropriate notice and obtain consent where required.
17. Changes to this policy
We may update this policy from time to time to reflect changes in the platform, our suppliers, or applicable law. The date at the top of this page reflects the most recent version. We will take reasonable steps to notify users of material changes.
18. Contact
For all data protection enquiries, rights requests, or concerns, contact us at:
MainsMate — Rikki Howard, trading as MainsMate, United Kingdom.