Privacy policy for plumbers, electricians & tradespeople
If you’re a plumber, electrician, builder, or any other tradesperson with a website, you need a privacy policy. You also need cookie consent, terms and conditions, and your company details displayed correctly. Here’s what the regulations actually require and why a generic template won’t cut it.
Yes, tradespeople need a privacy policy
This is the question we get asked most often by tradespeople, and the answer is straightforward: if you collect any personal data — and you do, every time you take a customer’s name, address, and phone number to book a job — UK GDPR requires you to tell people what you do with that data. The privacy policy is where you do that.
It doesn’t matter whether you’re a sole trader, a partnership, or a limited company. It doesn’t matter how small your business is. The obligation applies to everyone who processes personal data.
What most tradespeople don’t realise is that “processing” includes things as simple as storing a customer’s phone number in your mobile, keeping invoices with names and addresses in a spreadsheet, or sending a quote by email. All of this is personal data processing under UK GDPR.
What data do tradespeople actually handle?
More than you think:
- Customer contact details — names, addresses, phone numbers, email addresses. Collected for every job.
- Property details — addresses of properties you work on (which may be different from the customer’s home address for landlords). The address of a property combined with a person’s name is personal data.
- Access information — key safe codes, alarm codes, access instructions. Highly sensitive even though it’s not technically “special category” data.
- Gas Safe data — if you’re a Gas Safe registered engineer, installation and safety check data is shared with the Gas Safe Register.
- Electrical certification data — NICEIC or NAPIT registered electricians submit notification data to Building Control and the relevant scheme provider.
- Photographs of work — photos taken on customer premises for records, insurance, or marketing. These often capture personal property and sometimes people.
- Payment and invoicing data — bank details, invoice records with names and addresses.
- Subcontractor details — if you use subcontractors, you hold their personal data too.
- Landlord certification records — gas safety certificates, electrical installation condition reports (EICRs), which link a landlord to specific properties.
Key point: Customer premises addresses, access codes, and property-specific information are personal data when linked to an identifiable person. Your privacy policy needs to explain how you handle this information, who has access to it, and how long you keep it.
Gas Safe and NICEIC: regulatory data sharing
If you’re a Gas Safe registered engineer, every gas installation and safety check you carry out is notified to the Gas Safe Register. This is a legal requirement, not optional. Your privacy policy must disclose this data sharing — customers have a right to know that information about their property and gas appliances is being shared with a regulatory body.
Similarly, NICEIC and NAPIT registered electricians notify Building Control and the scheme provider when certain types of electrical work are completed. This is part of the Part P Building Regulations process.
Your privacy policy should explain that you share data with these bodies, name them (Gas Safe Register, NICEIC, NAPIT, or whichever scheme you’re registered with), and state the legal basis (legal obligation under the Gas Safety (Installation and Use) Regulations 1998 for gas, or Building Regulations 2010 for electrical).
What regulations apply to tradesperson websites?
UK GDPR and Data Protection Act 2018
Requires a privacy policy covering: what data you collect, why, who you share it with, how long you keep it, and what rights your customers have. For tradespeople, this must include regulatory data sharing (Gas Safe, NICEIC, etc.) and any third-party tools you use for invoicing, scheduling, or marketing.
PECR
If your website uses cookies (almost all do), you need a cookie consent banner with a proper reject option. If you send marketing emails or texts to customers, you need consent.
Companies Act 2006
If you’re a limited company, your website must show your company number, registered address, and place of registration.
E-Commerce Regulations 2002
Your website must display your business name, geographic address, email, and VAT number (if registered).
Consumer Rights Act 2015
Your terms and conditions should cover: pricing and payment terms, cancellation rights, emergency callout terms (if applicable), warranty on parts and labour, complaints procedure, and liability limitations.
Retention periods for tradespeople
Your privacy policy must state how long you keep different types of data. Typical periods for tradespeople:
- Customer contact details: duration of the customer relationship plus 6 years (Limitation Act 1980)
- Gas safety certificates: 2 years minimum (Gas Safety Regulations), but recommended 6 years for liability protection
- Electrical certificates (EICRs): retain for the duration of the certificate (typically 5 years) plus 6 years
- Invoices and financial records: 6 years (HMRC requirement)
- Photographs of work: duration of warranty period plus 6 years, or until customer requests deletion
- Access codes and key safe information: delete immediately upon job completion — there is no reason to retain these
- Subcontractor records: 6 years after the last job they worked on
Important: Access codes, alarm codes, and key safe combinations should be deleted as soon as the job is finished. Retaining this information creates unnecessary security risk and has no legitimate purpose. Your privacy policy should state this explicitly — it builds customer trust.
Common compliance gaps on tradesperson websites
- No privacy policy at all — very common, especially for sole trader tradespeople
- Generic privacy policy — no mention of Gas Safe, NICEIC, regulatory data sharing, or property access data
- No cookie consent — despite using Google Analytics or Facebook tracking
- Company number missing — required for limited companies under Companies Act 2006
- No terms and conditions — or generic T&Cs that don’t cover emergency callouts, warranties, or sector-specific complaints routes
- Checkatrade or Bark privacy policy used instead of their own — directory platform policies don’t cover your business
Get your website compliant in 24 hours
We check your website against GDPR, PECR, Consumer Rights Act, Equality Act, Companies Act, and sector-specific requirements for your trade. Complete compliance pack from £49.
Get started — £49Frequently asked questions
Do plumbers need a privacy policy?
Yes. If you collect customer names, addresses, phone numbers, or payment details — even just to book a job — you are processing personal data and UK GDPR requires you to have a privacy policy. This applies to sole traders, partnerships, and limited companies.
Do tradespeople need to register with the ICO?
Almost certainly yes. If you store customer details electronically — in your phone, a spreadsheet, an invoicing app, or a CRM — you must pay the ICO data protection fee. The cost is £40 per year for micro-businesses. Failure to register is a criminal offence.
Does Gas Safe registration affect GDPR compliance?
Yes. Gas Safe registered engineers share installation and safety data with the Gas Safe Register. Your privacy policy must disclose this data sharing. You should also mention that landlord gas safety certificates are retained and shared as required by the Gas Safety Regulations 1998.
Should I delete access codes after finishing a job?
Yes, immediately. There is no legitimate reason to retain key safe codes, alarm codes, or property access information after a job is complete. Your privacy policy should state that you delete this information upon job completion.
Last updated: 15 February 2026 · This article is for informational purposes and does not constitute legal advice. For complex situations, consult a solicitor.