Privacy Policy

1. Who We Are

Data controller: [LEGAL_ENTITY_NAME]
Contact email: [CONTACT_EMAIL]
Contact form: surveyorsmart.co.uk/contact

If you have any questions about this policy, or wish to exercise any of your rights under UK GDPR, please contact us via the email address or contact form above. Our postal address is available on request.

2. Your Role and Ours

When you create an account and use the Service to manage your own account details and preferences, we act as the data controller of your personal data.

When you upload personal data about third parties — for example, details about homeowners, clients, or other individuals included in your survey reports — you are acting as the data controller of that data, and we act as a data processor on your behalf. You are responsible for ensuring you have a lawful basis to process that data and for providing appropriate privacy information to those individuals.

3. Personal Data We Collect

We collect the following categories of personal data:

• Account information: name, email address, hashed password, two-factor authentication secret, profile details.
• Content you create: report contents, property addresses, photos (which may contain location metadata in EXIF data), notes, and related survey material.
• Usage data: pages visited, features used, actions taken within the Service, approximate session duration.
• Technical data: IP address, browser type and version, operating system, device identifiers, referring URLs.
• Communications: messages you send us, support requests, and feedback.
• Billing data (if and when applicable): billing name, address, VAT details; card details are handled directly by our payment processor — we do not see or store full card numbers.

4. How We Use Personal Data and Legal Bases

We process personal data for the following purposes and on the following legal bases under UK GDPR:

• To provide the Service (account, report tools, AI features, storage) — legal basis: performance of a contract with you.
• To keep the Service secure (fraud prevention, abuse detection, authentication, logging) — legal basis: our legitimate interests in operating a secure service, and legal obligation.
• To improve and develop the Service (aggregated usage analysis, debugging) — legal basis: our legitimate interests in improving our product, balanced against your rights.
• To communicate with you (service announcements, account notifications, support replies) — legal basis: performance of a contract, or our legitimate interests.
• To send marketing communications (only if you have opted in) — legal basis: your consent, which you can withdraw at any time.
• To comply with legal obligations (tax, accounting, responding to lawful requests) — legal basis: legal obligation.

5. Third-Party Processors

We use the following third parties to operate the Service. Each processes personal data only on our instructions and under appropriate contractual terms:

• Anthropic (United States): provides the AI (Claude) used for content suggestions, pre-send review, photo analysis, and related features. Report content and property data you submit to AI features is transmitted to Anthropic for processing.
• Vercel (United States): hosting and content delivery.
• Neon / Prisma Data Platform: managed PostgreSQL database.
• UploadThing (United States): image and file storage.
• Google (Maps) (United States): map rendering for property location features.
• Resend (United States): transactional email delivery (password resets, notifications).
• Sentry (United States): application error monitoring.
• RapidAPI / uk-property-data (United Kingdom / United States): UK property lookup data.
• postcodes.io (United Kingdom): postcode and local authority lookup.
• Environment Agency (United Kingdom): public flood-risk spatial data.

We may also share personal data with professional advisers (accountants, lawyers), with legal or regulatory authorities where required by law, and in connection with a merger, acquisition, or sale of business assets.

6. International Transfers

Several of our processors are based outside the United Kingdom, primarily in the United States. Where personal data is transferred outside the UK, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or the UK Extension to the EU–US Data Privacy Framework (where the processor is certified). You can request further information about these safeguards by contacting us.

7. How Long We Keep Personal Data

• Account data: for as long as your account is active, and for up to 90 days after closure to allow account recovery and to resolve any outstanding issues.
• Your Content (reports, photos, property data): for as long as your account is active. On account deletion we remove or anonymise content within a reasonable period (typically 30 days), subject to backup retention cycles of up to 90 days.
• Technical logs and security data: up to 12 months.
• Billing and tax records (when applicable): 6 years, as required by UK tax law.
• Error monitoring data: up to 90 days in Sentry.

We may retain data for longer if required to comply with a legal obligation, or to establish, exercise, or defend legal claims.

8. Cookies and Similar Technologies

We use strictly necessary cookies to keep you signed in and to protect against cross-site request forgery. These are required for the Service to function and do not require consent under the Privacy and Electronic Communications Regulations (PECR).

If we introduce analytics or marketing cookies in the future, we will request your consent via a cookie banner before setting them.

9. Security

We take reasonable technical and organisational measures to protect personal data, including TLS encryption in transit, password hashing, optional two-factor authentication, access controls, and regular dependency updates. However, no method of transmission or electronic storage is 100% secure.

If we become aware of a personal-data breach that poses a risk to your rights, we will notify the Information Commissioner's Office within 72 hours as required by UK GDPR, and will notify affected individuals directly where required.

10. Your Rights

Under UK GDPR you have the following rights in relation to your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct inaccurate or incomplete data.
• Erasure: ask us to delete your personal data (the "right to be forgotten").
• Restriction: ask us to restrict processing in certain circumstances.
• Portability: request a copy of your data in a portable format.
• Objection: object to processing based on our legitimate interests, or to direct marketing.
• Withdraw consent: where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Rights related to automated decision-making: you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. The Service's AI features assist with content generation and are not used to make solely automated decisions with such effects.

To exercise any of these rights, contact us at [CONTACT_EMAIL]. We will respond within one month.

11. Complaints

If you are unhappy with how we handle your personal data, please contact us first and we will try to resolve the issue. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

12. Children

The Service is intended for professional users and is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes we will provide at least 30 days' advance notice by email or in-app notification. The "last updated" date at the top of this page will always reflect the latest version.