Privacy Policy

Said & Paid (“Said & Paid”, “we”, “us”, “our”) is a voice-first invoicing app for tradesmen, operating in the United Kingdom. “Said & Paid” is currently a trading name and not a registered company. If that changes, we'll update this policy with the registered entity details.

• Website: https://saidpaid.com
• Contact: hello@saidpaid.com

For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for the personal data described in this policy. If you have any questions about how we handle your data, email hello@saidpaid.com.

Account data

• Your name and email address
• Login and authentication data (including basic profile data from Google if you choose to sign in with Google — typically your name, email and profile picture URL)

Business profile data

• Business name, address, phone number and email
• VAT status and VAT number (if you're VAT registered)
• Payment details you choose to display on invoices (e.g. bank name, sort code, account number)
• Hourly rates, callout fees, payment terms and saved default line items

Customer and invoice data

• Customer names, addresses and contact details (where you enter them)
• Job addresses, descriptions and notes
• Invoice line items, prices, VAT, totals and invoice status

Voice and transcript data

• Audio you record when describing a job
• Transcripts produced from those recordings
• The structured invoice fields our AI extracts from the transcript

Technical data

• IP address, device type, operating system and browser information
• Usage logs (e.g. which pages you visit and which actions you take)
• Error and crash logs to help us debug issues
• Cookies, local storage and session data needed to keep you signed in and to remember your preferences

• To create your account and keep you securely signed in
• To turn voice recordings into draft invoices
• To transcribe audio and extract invoice fields using AI
• To generate invoice PDFs
• To save your customers, jobs, rates and invoices so you can re-use them
• To let you share invoices with your customers
• To respond to support queries and feedback
• For security, fraud prevention, debugging and improving the service
• To meet legal, tax and accounting obligations

Said & Paid uses AI to convert spoken or typed job descriptions into structured invoice drafts (customer, line items, labour, VAT, totals, etc.). Audio and transcripts are sent to our AI provider (see Section 6) over an encrypted connection for this purpose only.

You are always in control. Every invoice is shown to you as a draft that you must review and confirm before it's saved or sent. AI can make mistakes, so please always check totals, VAT, customer details and line items before sharing an invoice.

No automated decision is made about you that produces a legal or similarly significant effect. The AI's job is to help you draft an invoice — nothing more.

Please avoid speaking or entering unnecessary sensitive information (for example health details, payment card numbers, or anything not relevant to the job).

Under UK GDPR, we rely on the following lawful bases:

• Contract — to deliver the service you've signed up for (creating and storing your invoices, AI drafting, sharing).
• Legitimate interests — to keep the service secure, prevent abuse, debug issues and improve features. We balance this against your rights and you can object at any time.
• Legal obligation — to meet our legal duties (for example tax, accounting and lawful requests from authorities).
• Consent — where required, e.g. for non-essential analytics or marketing communications. You can withdraw consent at any time.

We share data only with the trusted providers listed below, and only to the extent needed to run the service. We don't sell your data and we don't share it for advertising.

• Lovable Cloud (powered by Supabase) — hosts the website and app, stores your account, profile, customers and invoices, and handles authentication.
• Google — if you choose “Continue with Google”, Google receives the basic profile data needed to authenticate you, and we receive your name, email and profile picture URL.
• Lovable AI Gateway — routes voice transcripts and job descriptions to the AI models used to draft invoices. The underlying models are provided by Google (Gemini) and OpenAI (GPT). Audio and transcripts are processed only to produce your draft and are not used by these providers to train their general models.
• Email, sharing and payment providers — when we add the ability to email invoices, share via links or take payments, we'll use established providers (e.g. Resend, Stripe). We'll update this policy when those go live.
• Analytics and error logging — if/when added, to understand usage patterns and fix bugs. We'll name the providers here when added, and use consent where required.
• Authorities — where we're legally required to disclose data (e.g. a valid court order or HMRC request).

• Account data — for as long as your account is active.
• Invoices and customers — kept while your account is active and for up to 7 years afterwards, to meet UK accounting and tax requirements (HMRC requires businesses to keep records for at least 6 years).
• Voice recordings — deleted shortly after the transcript and draft invoice are produced (typically within 24 hours), unless you choose to keep them.
• Transcripts — kept with the related invoice for as long as the invoice is kept, so you can review what was said.
• Support messages — typically kept for up to 2 years.
• Technical and security logs — typically kept for up to 90 days.
• Deleted accounts — most data is removed within 30 days of deletion, except where we must retain it for legal or accounting reasons.

We use a small number of strictly necessary cookies and local storage entries to keep you signed in, remember your preferences and protect your account. These are essential to the service and don't require consent under UK PECR.

If we add optional analytics or marketing cookies in the future, we'll only use them where you've given consent first, and you'll be able to change your mind at any time.

We take security seriously. Your data is encrypted in transit (HTTPS/TLS), stored on managed infrastructure with access controls, and protected by row-level security so you can only see your own data. Passwords are hashed, never stored in plain text. We keep our software up to date and review access regularly.

No service can promise 100% security, so please pick a strong password and don't share your login. If we ever become aware of a personal data breach that's likely to risk your rights and freedoms, we'll notify the ICO within 72 hours and tell affected users without undue delay, in line with UK GDPR.

Our infrastructure is hosted in the UK / EEA where possible, but some providers (e.g. Google, OpenAI) may process data outside the United Kingdom. Where this happens, we make sure appropriate safeguards are in place (such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or processing in countries the UK has deemed adequate) so your data continues to be protected.

Said & Paid is intended for use by adults running a trade or business. The service is not directed at children under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we'll delete it.

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Correct data that is wrong or incomplete
• Ask us to delete your data (where applicable)
• Restrict or object to certain processing
• Receive your data in a portable format
• Withdraw consent where we rely on it
• Complain to the UK Information Commissioner's Office (ICO) at ico.org.uk — though we'd appreciate the chance to put things right first.

To exercise any of these rights, email hello@saidpaid.com. We'll respond within one month.

Questions, requests or feedback? Email hello@saidpaid.com and we'll get back to you.

We may update this policy from time to time as the service evolves or laws change. When we make material changes, we'll update the date at the top of this page and, if appropriate, let you know in the app or by email before the changes take effect.