herotasker

Home · Privacy

Privacy Policy

Last updated: 20 May 2026

This policy explains what HeroTasker collects from you, where the data lives, how long we keep it, who we share it with, and the rights you have under UK GDPR. We aim for plain English; if any of it doesn’t land, write to us via the contact form.

HeroTasker brand collage representing data handled with care

What we collect

When you sign up: your email, your name, and a phone number that we verify once with a six-digit SMS code. If you list yourself as a tradesperson, we also collect your base postcode, the trades you cover, your travel radius, and an optional profile photo.

When you use the marketplace: the title, description, budget, postcode, and photos of any task you post; the price and pitch of any offer you send; the messages you exchange after an offer is accepted; and a record of when you reveal a tradesperson’s phone number. We never store the six-digit OTP itself — only a hash and the verified-at timestamp.

Where the data lives

Your account, tasks, offers, messages, and reveal events live in an Aurora Serverless v2 Postgres database hosted in AWS’s London region (eu-west-2). Profile photos and task images are stored in AWS S3, also in eu-west-2. The web application runs on Vercel, which routes traffic from edge regions but does not persist your personal data.

How long we keep it

We keep your data while your account is active. If you deactivate your account, we hide your profile immediately and keep your data for 30 days in case you change your mind. Sign back in within that window and everything is restored. After 30 days, your data is purged. Messages on accepted tasks are kept as long as the task exists so both sides have a record of what was agreed.

Who we share it with

We do not sell your data and we do not share it with advertisers. We rely on a small set of service providers to make the product work:

  • Resend — sends the magic-link sign-in email, the five transactional emails (new bid, bid accepted, new message, daily digest, email-change verification), and the contact-form replies.
  • Twilio — sends the SMS with your one-time phone verification code.
  • AWS — runs the Aurora Postgres database and S3 storage in eu-west-2.
  • Vercel — runs the website and serves it to your browser.
  • postcodes.io — turns a postcode into a latitude and longitude so we can match tradespeople to nearby tasks.
  • PostHog and Sentry — when wired, PostHog records two product events (page view, phone revealed) and Sentry records application errors. Both run with PII scrubbed from payloads.

Cookies

We use essential cookies only — the session cookie set by Auth.js that keeps you signed in. No tracking cookies, no third-party advertising cookies.

Your rights under UK GDPR

You can ask us to do any of the following. We respond within 30 days.

  • Access. Request a copy of your data from /account/data-export. A person on our team puts the file together by hand for now.
  • Rectify.Correct anything that’s wrong — most fields are editable from your account; for anything else, write to us via the contact form.
  • Erase. Deactivate your account. Your profile is hidden immediately and your data is purged 30 days later unless you sign back in.
  • Data portability. Use the same data-export route above or the contact form to request the file in a portable format.

Children

HeroTasker is not for under-18s. We don’t knowingly collect data from children. If you believe we have, write to us and we’ll remove it.

Changes to this policy

If we change this policy in a way that affects you, we’ll say so on this page and update the “Last updated” date at the top.

Get in touch

Privacy questions, data requests, or anything else — use the contact form.