Golden Fred

Privacy Policy

Golden Fred — how we handle personal data

Last updated: 29 April 2026

Effective date: 29 April 2026

This Privacy Policy explains how Pandda Software Solutions Ltd handles personal data in connection with the Golden Fred website, the Golden Fred web platform, the Golden Fred mobile application, Ask Fred, and related services (together, the “Service”).

We are committed to protecting personal data and handling it in line with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

1. Who we are

Pandda Software Solutions Ltd is a company registered in England and Wales under company number 17146631, with its registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ (“Golden Fred”, “we”, “us” or “our”).

You can contact us at hello@goldenfred.com for any question about this Privacy Policy or our handling of personal data.

2. Our role: controller and processor

Our role under UK GDPR depends on the personal data in question.

Controller. We act as a controller for personal data about visitors to our website, prospects, account administrators, billing contacts, personnel of Customers for the purposes of managing the account relationship, and anyone we communicate with for marketing, support, security, and legal purposes.

Processor. We act as a processor for personal data that a Customer uploads or enters into the Service about its own staff, engineers, clients, contacts, sites, and records (including golden thread and compliance records). In that role, we process personal data on the Customer’s documented instructions. Our processing of such personal data is governed by our Data Processing Addendum (available on request).

This Privacy Policy describes our processing as controller. Where we act as processor, the Customer’s own privacy notice should be consulted by individuals whose data they control.

3. Personal data we collect

3.1 Account and identity data
  • Name, job title, and role.
  • Business email address, phone number, and postal address.
  • Login credentials (passwords are stored using industry-standard hashing).
  • Authentication and multi-factor authentication details.
3.2 Business and commercial data
  • Company name, company number, VAT number, trade certifications (for example FIRAS, ASFP).
  • Subscription plan, number of seats, billing contact, and billing history.
3.3 Payment data
  • Bank or card details are processed by our payment providers. We do not store full card numbers.
  • We receive transaction status, masked card details, and payment reference data.
3.4 Usage and technical data
  • Device and browser information, IP address, operating system, and approximate location derived from IP.
  • Log data including pages visited, features used, session timestamps, and error reports.
  • Cookies and similar technologies (see section 11).
3.5 Communications data
  • Emails, chat messages, support tickets, and phone call records with us.
  • Marketing preferences and engagement with our emails and content.
3.6 Customer Content

When Customers use the Service, Customer Content may contain personal data about engineers, site contacts, occupants, clients, and other individuals. We process that personal data as a processor on behalf of the Customer, under the Customer’s instructions. The categories and retention of such data are controlled by the Customer.

3.7 Ask Fred inputs and outputs

When you use Ask Fred, we process the text you input (prompts), any files you attach, and the AI-generated output. These may contain personal data depending on what you submit.

3.8 Sensitive data

We do not intentionally collect special-category personal data (for example, health or biometric data). The Service is not designed for that purpose. Customers must not upload special-category data unless they have a valid legal basis and have agreed appropriate terms with us in writing.

3.9 Mobile application data

When engineers use the Golden Fred mobile application, we (acting as a processor on behalf of the employing Customer) collect the following additional categories of data on the Customer’s documented instructions:

  • Precise location (GPS). The mobile app collects precise GPS location to provide geo-fenced site check-in, route auditing, and compliance evidence required under the Building Safety Act 2022. Location is collected:
    • In the foreground, while the engineer is using the app, for navigation, site check-in, and on-site activity.
    • In the background, while the engineer is on an assigned, active job and the app is running, in order to maintain accurate site presence records and produce reliable evidence of who was on site, when, and for how long.

    Location collection automatically stops when the app is fully closed or removed from recent applications. Engineers can revoke location permission at any time via their device settings; doing so will disable geo-fenced check-in, route auditing, and other location-dependent features.

  • Camera, photos, and videos. The app uses the device camera and access to photos to capture site photos, evidence images, and job documentation. Captured media is associated with the relevant job record and uploaded to the Customer’s tenant within the Service.
  • Digital signatures. Captured during job sign-off, RAMS acceptance, and method statement acknowledgement. Signatures are stored as part of the compliance record.
  • Device information. Device model, operating system version, app version, and a unique installation identifier, used for security, authentication, diagnostics, and crash reporting.
  • Push notification tokens. Where a Customer enables push notifications, we process push tokens issued by Apple Push Notification service or Firebase Cloud Messaging to deliver job assignments, schedule changes, and operational alerts.

The mobile application does not access contacts, SMS, the microphone for recording, calendar, call logs, or any data that is not listed above.

Mobile application data is processed solely for the purposes set out in section 4 and is not sold, shared with advertisers, or used for advertising or third-party analytics targeting.

3.10 Android permissions used by the mobile application

The Golden Fred Android app requests the following permissions, each only for the purposes described:

PermissionPurpose
ACCESS_FINE_LOCATIONPrecise GPS for navigation and geo-fenced site check-in.
ACCESS_COARSE_LOCATIONApproximate location as a fallback where GPS is unavailable.
ACCESS_BACKGROUND_LOCATIONContinue location tracking while an assigned job is active and the app is running in the background, to produce reliable on-site evidence.
FOREGROUND_SERVICE and FOREGROUND_SERVICE_LOCATIONKeep the location service running reliably during an active job.
CAMERACapture site photos and evidence within a job.
READ_MEDIA_IMAGES (Android 13+) and READ_EXTERNAL_STORAGE (Android 12 and below)Attach existing photos from the device to a job record where the engineer chooses to do so.
INTERNETSync data with the Golden Fred backend.

iOS permissions are equivalent and limited to the same purposes.

4. How we use personal data

  • Provide the Service: create and administer accounts, authenticate users, deliver features (including mobile app features such as geo-fenced check-in, evidence capture, and job sign-off), provide support, send service notifications.
  • Billing and administration: process subscriptions, take payments, issue invoices, manage credit control, and keep accounting records.
  • Improve the Service: understand how the Service is used, diagnose bugs, improve performance, develop new features. Where we use personal data for improvement, we aggregate or pseudonymise it wherever practicable.
  • Security and fraud prevention: protect the Service and our users from abuse, unauthorised access, and fraud, including access logging and anomaly detection.
  • Communications: respond to enquiries, send service messages, and (where permitted) send marketing about our products and services.
  • Legal and regulatory: meet legal, tax, regulatory, and contractual obligations, respond to lawful requests from regulators and authorities, and enforce our Terms of Use.
  • AI features: process your inputs to generate Ask Fred outputs, monitor and evaluate the safety and quality of AI features, and meet our obligations to AI model providers.

We do not use mobile application data for advertising. We do not sell mobile application data. We do not share mobile application data with data brokers.

5. Legal bases for processing

Under UK GDPR, we rely on the following legal bases:

  • Contract: to provide the Service, manage accounts, and meet our obligations under our agreement with the Customer.
  • Legitimate interests: to run and promote our business, keep the Service secure, improve it, communicate with prospects and customers, and defend our rights. Where we rely on legitimate interests, we balance those interests against the rights of individuals. You can object to this processing at any time.
  • Legal obligation: to meet tax, accounting, regulatory, and other legal duties.
  • Consent: where required, for example for certain cookies and direct marketing to personal email addresses, and for the Android and iOS runtime permissions used by the mobile app (location, camera, photos, notifications). You can withdraw consent at any time, including by revoking the relevant permission in your device settings.

6. Who we share personal data with

We do not sell personal data. We share personal data only where necessary and with appropriate safeguards.

  • Service providers (sub-processors): we use carefully selected third parties to host infrastructure, run the database, send email, process payments, run analytics, provide customer support tools, deliver push notifications (Apple Push Notification service and Google Firebase Cloud Messaging), and deliver AI model capabilities for Ask Fred. A current list of sub-processors is available on request.
  • Professional advisers: lawyers, accountants, auditors, and insurers, under duties of confidentiality.
  • Regulators and authorities: where required by law, regulation, or valid legal process.
  • Corporate transactions: if we are involved in a merger, acquisition, reorganisation, financing, or sale of assets, personal data may be transferred to the counterparty, under appropriate confidentiality obligations.
  • Customer-directed sharing: where a Customer configures the Service to share Customer Content with a third party (for example, an integration with an accounting or email tool), we share the relevant personal data to carry out that instruction.

7. International transfers

We primarily host personal data in the United Kingdom and the European Economic Area. Where personal data is transferred outside the UK to a country that the UK has not deemed to provide an adequate level of protection, we put in place appropriate safeguards required by UK GDPR, which may include the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or other approved mechanisms.

We carry out transfer risk assessments where required and implement additional technical and organisational measures as appropriate.

8. How long we keep personal data

We keep personal data only as long as necessary for the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

  • Account data: for the duration of the subscription and for a reasonable period after termination to deal with queries, disputes, and legal claims.
  • Billing and accounting records: typically at least six years to meet HMRC and company law obligations.
  • Marketing data: until you unsubscribe or tell us to stop.
  • Support and communications records: typically up to six years.
  • Security logs: typically up to 12 months unless needed longer for investigation.
  • Customer Content (including mobile-captured photos, videos, signatures, and location records): for as long as the Customer keeps it in the Service. On termination, Customers have a 30-day window to export Customer Content, after which we may delete it. Customers remain responsible for their own retention obligations, including under the Building Safety Act 2022 golden thread requirements, which may require long-term retention independent of the Service.
  • Mobile diagnostic and crash data: typically up to 12 months.

Where we no longer need personal data, we delete it, anonymise it, or put it beyond use.

9. How we protect personal data

We use appropriate technical and organisational measures to protect personal data, including:

  • encryption of data in transit and at rest using industry-standard protocols;
  • role-based access controls and least-privilege principles for our staff;
  • multi-factor authentication for administrative access;
  • regular backups, monitoring, and vulnerability management;
  • contractual and security commitments from our sub-processors;
  • staff training, confidentiality obligations, and incident-response procedures.

No system is perfectly secure. If we become aware of a personal data breach that meets the notification threshold under UK GDPR, we will notify the Information Commissioner’s Office and, where required, affected individuals and Customers.

10. Your rights

Under UK GDPR, you have the following rights in relation to personal data we hold about you as controller:

  • Access: to ask for a copy of your personal data.
  • Rectification: to ask us to correct inaccurate or incomplete personal data.
  • Erasure: to ask us to delete personal data in certain circumstances.
  • Restriction: to ask us to restrict processing in certain circumstances.
  • Objection: to object to processing based on legitimate interests, including direct marketing.
  • Portability: to ask us to provide certain personal data in a structured, commonly used, machine-readable format.
  • Withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal. For mobile permissions, you can withdraw consent at any time through your device’s permission settings.
  • Automated decision-making: we do not make decisions that produce legal or similarly significant effects solely by automated means. Ask Fred outputs are suggestions for human review, not automated decisions.

To exercise any of these rights, email hello@goldenfred.com. We may need to verify your identity. We will respond within the timescales required by law (usually one month).

If your personal data sits in the Service as Customer Content (for example, because your employer is a Customer), you should contact that Customer first, as they control that data. We will help them respond as necessary.

11. Cookies and similar technologies

We use cookies and similar technologies on our website and within the Service to:

  • keep you signed in and remember your preferences (strictly necessary and functional);
  • understand how the Service is used and improve it (analytics);
  • measure the effectiveness of our communications and, where applicable, marketing.

You can control non-essential cookies through our cookie banner and your browser settings. Blocking strictly necessary cookies may break parts of the Service. More information is in our Cookie Notice (if published on our website).

12. Marketing

We may send business-to-business marketing about our products and services where permitted by the Privacy and Electronic Communications Regulations and UK GDPR. You can opt out of marketing at any time using the unsubscribe link in each email or by emailing hello@goldenfred.com.

13. Children

The Service, including the Golden Fred mobile application, is intended for businesses and for users aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact hello@goldenfred.com and we will delete it.

14. Ask Fred and AI processing

When you use Ask Fred:

  • your inputs and the generated outputs are processed by us and, where applicable, by our AI model providers acting as our sub-processors;
  • we use appropriate contractual safeguards with AI providers, including terms that restrict their use of your inputs to providing and securing the service and do not permit training of their general-purpose models on your Customer Content without a separate, opt-in agreement;
  • we do not use Customer Content to train our own or any third party’s general-purpose AI models without the Customer’s written agreement;
  • we may retain logs of AI interactions for security, abuse prevention, quality monitoring, and service-improvement purposes, consistent with the retention periods in section 8;
  • AI outputs can be incomplete or wrong. You must not rely on them without human review. See our Terms of Use for more on AI features.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top shows when it was last changed. If we make material changes, we will tell you by email or through the Service.

16. Complaints

If you have a concern about how we handle personal data, please contact us first at hello@goldenfred.com so we can try to resolve it.

You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Helpline: 0303 123 1113

Website: ico.org.uk

17. Contact

Pandda Software Solutions Ltd

Email: hello@goldenfred.com

Registered office: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ

Company number: 17146631

Registered in England and Wales.

Raising the standard for compliance

Golden Fred is built for organisations that want to manage compliance properly - not just maintain it.

Book Your Demo
Get Early Access