Data controller: Movesmith Ltd, a company registered in England and Wales under company number 16634345, registered office 86–90 Paul Street, London EC2A 4NE. ICO registration reference ZC149218.
We take your privacy seriously. Please read this Privacy Policy carefully: it explains how and why we collect, store, use, and share information relating to you (your “personal data”), your rights, and how to contact us or the regulator if you have a complaint. Our handling of your personal data is regulated by law, including the UK General Data Protection Regulation (“UK GDPR”). We are the controller of personal data obtained via our platform at movesmith.uk and related services (the “Services”).
1. Who we are and what this policy covers
1.1 Movesmith Ltd (“Movesmith”, “we”, “us”, “our”) is the data controller of the personal data described in this Policy. You can contact us about privacy at hello@movesmith.uk.
1.2 This Policy applies to personal data we process about: customers who book moves through the Platform; operators (suppliers) who deliver moves on our behalf; drivers and crew employed by operators; and visitors to the Platform. The Services may link to third-party sites or services with their own privacy policies, which you should consult separately.
2. Personal data we collect about customers
2.1 When you use the Platform as a customer, we collect: identity and contact data (name, email, phone); move details (pickup and delivery addresses and access notes, date and arrival window, property type and floor level, extras selected, declared value of goods, and special notes); payment data (card details tokenised by Stripe — we do not store card numbers, expiry dates, or CVCs — Stripe customer ID, and billing address where provided to Stripe); account data where you sign in; operational and evidential data (move photographs taken at pickup and delivery, your electronic sign-off and the IP address used, in-platform messages, disputes and damage claims, and operator ratings about you); marketing and engagement data subject to your consent; and technical data (IP address, browser and device information, pages visited, email engagement events, and cookie identifiers).
3. Personal data we collect about operators
3.1 Where you use the Platform as an operator, we collect: business identity data (legal and trading name, Companies House number, registered and operating address); contact data (contact name, director details, email, phone); vetting and compliance data (Goods in Transit and Public Liability insurance details, Vehicle Compliance Declaration, photo identification of directors and drivers, ULEZ-compliance status, and driver licence and contact details); financial data (Stripe Connect identifier and onboarding status, bank details held by Stripe, payout history); and operational and performance data (completed-job records, cancellation and no-show history, strike count, customer ratings, in-platform messages, move photographs, GPS arrival check-in data, and audit logs). Operators provide most of this data at onboarding; some is generated through use of the Platform over time.
4. How and why we use your data, and our lawful basis
4.1 We process personal data only where we have a lawful basis under UK GDPR Article 6. The basis depends on what we are doing, as set out below.
| Purpose | Lawful basis |
|---|---|
| Providing a quote, processing your booking, assigning an operator, and facilitating the move | Contract |
| Taking payment and processing operator payouts | Contract |
| Sending transactional emails (booking confirmation, operator confirmed, sign-off, dispute reminder) | Contract |
| Operator vetting and ongoing compliance monitoring | Legitimate interests |
| Resolving disputes and damage claims | Contract / legal obligation / legitimate interests |
| Fraud prevention, platform security, and audit logging | Legitimate interests / legal obligation |
| Tax, accounting, and regulatory record-keeping | Legal obligation |
| Marketing to existing customers about Movesmith services | Legitimate interests (soft opt-in under PECR reg 22(3)) |
| Marketing analytics, behavioural segmentation, and engagement tracking | Consent |
| Improving the Platform and analysing usage | Legitimate interests |
4.2 Where we rely on legitimate interests, we have carried out a balancing test and concluded that our interests (operating a safe, reliable, compliant removals platform; protecting against fraud and abuse; and improving our services) do not override your rights and freedoms. You can obtain details by contacting us.
4.3 Where we rely on consent (for example, marketing analytics and behavioural marketing), you may withdraw it at any time using the unsubscribe link in any marketing email, through your account preferences, or by contacting hello@movesmith.uk. Withdrawal does not affect processing carried out before withdrawal. For marketing to existing customers under the PECR soft opt-in, you can opt out at your first booking, in every marketing email, or through your account preferences.
5. How we share your data
5.1 We share personal data with: the operator assigned to your move (your name, contact details, addresses, move details, and special notes — operators do not see your payment data and must handle your data only to perform the move and in accordance with UK GDPR); third-party processors who help us operate the Platform, each bound by a written contract to process data only on our instructions and to UK GDPR standards; professional advisers (accountants, auditors, legal advisers, insurers); and law enforcement, courts, regulators, or other authorities where required by law or to protect rights, property, or safety. If Movesmith is sold, merged, or reorganised, we may transfer your data to the successor entity subject to the same protections.
5.2 We do not sell your personal data, and we do not share it with third parties for their own marketing purposes.
6. Categories of third-party processors
6.1 We use third-party service providers in the categories below. Where a customer-facing brand is named, this is because you interact with it directly (for example, your bank statement shows the payment processor name).
| Category | Purpose | Data location |
|---|---|---|
| Payment processing (Stripe) | Card tokenisation, payment authorisation and capture, operator payouts via Stripe Connect, dispute and chargeback handling | UK / EEA / US |
| Cloud database, authentication, file storage | Storage of booking records, accounts, move photos, vetting documents; passwordless sign-in | EU / UK |
| Transactional and marketing email delivery | Delivery of confirmations, sign-off links, reminders, and (with consent) marketing; deliverability and engagement metrics | US / EU |
| SMS messaging | Operational SMS notifications | US / EU |
| Mapping and geocoding | Map rendering, postcode lookup, distance and ETA calculation | US / EU |
| Cloud hosting and edge network | Hosting the Platform and content delivery | EU / US |
| Source control and DevOps tooling | Source code management (no production personal data) | US |
| Insurance providers | Underwriting Movesmith Cover and handling damage claims | UK |
6.2 A current list of our key processors with specific entities named is available on request by emailing hello@movesmith.uk. Where personal data is transferred outside the UK or EEA, we rely on UK or EU adequacy regulations where they apply, and otherwise on standard contractual clauses with supplementary technical and organisational measures.
7. How long we keep your data
7.1 We retain personal data only as long as we need it for the purpose collected, to comply with legal obligations, and to resolve disputes and enforce our agreements.
| Category of data | Retention period |
|---|---|
| Booking records (payment, customer, operator) | 7 years from the move, for HMRC and Companies Act requirements |
| Move photos (before and after) | 12 months from the move |
| Operator documents (insurance, ID, vehicle compliance) | Duration of the relationship plus 7 years |
| Email logs | 3 years (transactional); 2 years (marketing engagement) unless consent withdrawn earlier |
| Audit log of privileged actions | 7 years |
| Cancelled or aborted bookings | 3 years for financial trail, dispute history, fraud prevention |
| Marketing preferences and engagement data | Until consent withdrawn, or 3 years after last interaction, whichever is sooner |
| Suppression list (unsubscribed contacts) | Indefinitely, to honour your unsubscribe request |
8. Your rights under UK GDPR
8.1 You have the right to: access a copy of your personal data; have inaccurate or incomplete data corrected; have your data erased in certain circumstances (this is not absolute — we may retain financial, tax, audit, and dispute records as required by law); restrict our processing in certain circumstances; receive data you provided in a structured, machine-readable format and transmit it to another controller (data portability); object to processing based on legitimate interests and to direct marketing at any time; and withdraw consent where processing is based on consent.
8.2 To exercise any of these rights, contact hello@movesmith.uk. We may need to verify your identity, and we will respond within one month of a verified request. We do not charge for handling rights requests in most cases.
9. Automated decisions and profiling
9.1 We do not carry out automated decision-making that produces legal or similarly significant effects on you without human involvement. We use automated processes to calculate your quote, broadcast bookings to verified operators, rate-limit public actions, screen for fraud signals, and (with consent) segment marketing. None produces a decision with a legal effect on you without human review where the outcome is contested.
10. How we protect your data
10.1 Our technical and organisational measures include: encryption of data in transit (TLS 1.2 or higher); encryption of payment data at the point of entry via Stripe (we never receive card numbers); database-level access controls; server-side service-role access; passwordless authentication; audit logging of privileged actions; rate limiting on public actions; webhook signature verification; regular security review of code and dependencies; and restriction of production-data access to named personnel. No system is entirely secure; if a breach is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware and, where the risk is high, notify you directly without undue delay.
11. International transfers
11.1 Some processors are based outside the UK and may process personal data outside the UK and EEA (including in payment processing, email, SMS, mapping, hosting, and source control). Where data is transferred outside the UK, we rely on UK adequacy regulations where they apply, standard contractual clauses approved by the UK ICO, and supplementary technical and organisational measures including encryption and access controls. You may request further details by contacting hello@movesmith.uk.
12. Children
12.1 The Platform is not intended for children under 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, contact hello@movesmith.uk and we will delete it.
13. Cookies and similar technologies
13.1 The Platform uses a small number of cookies and similar technologies, both those strictly necessary to operate the Platform and those used for marketing analytics and engagement where you have consented. Detailed information is set out in our Cookie Policy.
14. Changes and how to contact us
14.1 We may update this Policy from time to time; the version in force when we process your data applies, and we update the “Last updated” date above. Where a change is material, we will notify you by email or through the Platform before it takes effect.
14.2 You can contact us about this Policy or your personal data at hello@movesmith.uk, by phone on 020 3143 1719, or by post to Movesmith Ltd, 86–90 Paul Street, London EC2A 4NE.
14.3 You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or on 0303 123 1113. We would prefer the chance to address your concern first, so please contact us before escalating.