MyBoilerPal

Privacy Policy

Last updated: 3 May 2026
Status: Project paused — this policy remains on file for reference only. MyBoilerPal is not currently accepting new customers.

1. Who we are

MyBoilerPal is operated by ApeTec Ltd ("we", "us"), registered in England and Wales (Company Number 17065917). We are the Data Controller for the personal data of our customers (boiler engineers and businesses who subscribe to the Service). We act as a Data Processor for the personal data of our customers' leads (the consumers who call them).

2. What we collect

As Data Controller (your data, our customer):

  • Account data: name, email, business name, phone number
  • Billing data: handled by Stripe; we receive customer ID and subscription status only
  • Usage data: which features you use, when you log in
  • Communications: any messages you send us via the contact form or support channels

As Data Processor (your leads' data, on your behalf):

  • Caller phone numbers (E.164 format)
  • SMS message content exchanged through the qualification flow
  • Voice call recordings and transcripts (where the AI callback fires)
  • Job details captured (postcode, urgency, issue type)

3. Lawful basis

We process your data on the basis of contract (delivering the Service you've paid for) and legitimate interest (operating and improving the Service). We process your leads' data on your behalf under the contract between you and us.

4. Who we share data with

  • Twilio — telephony provider (US/EU). Phone numbers, SMS content, call metadata.
  • OpenAI — AI voice provider (US). Voice transcripts when the AI callback fires.
  • Supabase — database hosting (EU). All structured data.
  • Vercel — application hosting (EU/US). Application traffic.
  • Stripe — payment processor (US/EU). Billing data only.
  • Postmark — transactional email (US). Account creation emails, contact form submissions.

We do not sell data to anyone.

5. International transfers

Some of our processors are based outside the UK/EU. Where personal data is transferred outside the UK/EU, we rely on Standard Contractual Clauses or equivalent safeguards.

6. How long we keep data

  • Account data: for as long as you have an active subscription, plus 6 years after termination (UK record-keeping requirements).
  • Lead data: as configured in your account; default is indefinite retention until you delete it.
  • Logs: retained for up to 30 days for operational purposes.

7. Your rights

You have the right to access, correct, delete, restrict processing of, and port your personal data, and to object to processing. To exercise any of these rights, contact us via the contact form.

You have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

See our Cookie Policy.

9. Security

We follow industry-standard security practices including encryption in transit (TLS), encryption at rest, multi-tenant data isolation via Postgres Row Level Security, signed webhook verification, and regular security reviews. The most recent security review was 3 May 2026 (see SECURITY.md in our public repository).

10. Changes to this policy

We may update this policy. Material changes will be notified via email or in-app notification.

11. Contact

ApeTec Ltd, Company Number 17065917. Privacy queries: via the contact form on myboilerpal.co.uk or email hello@myboilerpal.co.uk.