The Lads logo

Privacy Policy

Last updated: 6/4/2026

1. Scope and Roles

This policy explains how The Lads collects and uses personal data when you use our customer and professional experiences. For GDPR purposes, The Lads is the data controller for account, request, and platform usage data described below.

2. Data We Collect

We collect data that is necessary to operate the service, including:

  • Account and authentication data: phone number and OTP verification status.
  • Request data: requested service, location, description, timestamps, and request type.
  • Professional profile data: business name, address, phone, services, and related listing attributes.
  • Operational metadata: basic logs for abuse prevention, rate limiting, and reliability monitoring.

3. Why We Process Data

We process personal data to:

  • Authenticate users through one-time passcodes sent by SMS.
  • Match customers with professionals and deliver quotes or availability responses.
  • Protect the platform from abuse, fraud, and automated misuse.
  • Maintain service reliability and investigate technical incidents.

Our legal bases generally include performance of a contract (to provide requested services), legitimate interests (platform security and abuse prevention), and consent where required for specific communications.

4. Processors and Third-Party Services

We use vetted third-party processors that process data on our behalf to deliver core functionality:

  • Twilio Verify and Messaging: OTP delivery and job outreach SMS delivery.
  • Google Maps and Places APIs: search and mapping features.
  • Cloud infrastructure and database providers: secure hosting, storage, and backups.

We do not sell personal data.

5. Data Sharing Rules

During initial discovery and quoting, direct phone details are minimized where possible. Contact data may be shared between a customer and a professional when required to fulfill the requested service interaction.

6. Retention Windows

Our retention approach is data-minimization based. Current operational targets are:

  • Authentication and OTP-related logs: up to 30 days, unless needed longer for abuse investigation.
  • Request and quote metadata: up to 24 months from last activity for support, dispute handling, and service continuity.
  • Professional match metadata and outreach records: up to 24 months from last activity.
  • Account-level phone and profile data: retained while the account is active, then deleted or anonymized after verified closure requests unless legal obligations apply.

We do not store OTP codes after verification and we avoid retaining verification details beyond what is needed for security monitoring.

7. International Data Transfers

Some processors may handle data outside the EEA/UK. Where transfers occur, we apply appropriate safeguards such as contractual protections and processor controls.

8. Security Measures

We use transport encryption, authenticated API access, and environment-based secret management to protect data in transit and at rest. We also apply rate limiting and session controls to reduce abuse risk.

9. Your GDPR Rights and How to Exercise Them

If you are in the EEA/UK, you can request access, correction, deletion, restriction, portability, or objection. You can submit requests by emailing dev@cruxai.iewith subject line "Data Rights Request", or by using the support options on the Support page.

To protect your account, we may verify your identity before fulfilling requests. We aim to respond within 30 days unless legally permitted to extend.

10. Consent for OTP

Before requesting a one-time verification code, users are shown consent language linking this policy and our Terms. By proceeding, you consent to receiving transactional OTP SMS messages for authentication.