Privacy Policy

1. Introduction

Welcome to PostcodAI ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and protect your information when you use our property analysis service at postcodai.com.

PostcodAI is operated from the United Kingdom and complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, name (when you create an account via Clerk authentication)
• Payment Information: Processed securely by Stripe. We do not store your full credit card details
• Search Queries: Postcodes, budget ranges, and property preferences you search for

2.2 Information We Collect Automatically

• Session Cookies: We use session cookies to track your search usage for rate limiting (3 free searches per month). These cookies persist for 30 days
• IP Address: Used as a fallback for rate limiting if cookies are disabled
• Usage Data: Search history, timestamps, and feature usage to improve our service
• Device Information: Browser type, operating system, and device type for analytics

2.3 Third-Party Data

We use publicly available UK government data (Land Registry, EPC, Crime Data, Schools) to provide our service. This data does not contain your personal information. See our Data Sources page for details.

3. How We Use Your Information

• Provide Our Service: Process searches, generate property analysis, and deliver AI insights
• Rate Limiting: Enforce the 3 free searches per month limit for free users
• Payment Processing: Manage subscriptions and billing through Stripe
• Account Management: Authenticate users and manage premium access
• Service Improvements: Analyze usage patterns to improve features and user experience
• Communication: Send service updates, payment receipts, and subscription notifications
• Legal Compliance: Comply with legal obligations and enforce our terms

4. Legal Basis for Processing (UK GDPR)

We process your personal data under the following legal bases:

• Contract Performance: Processing necessary to provide our service when you create an account
• Legitimate Interests: Rate limiting, fraud prevention, and service improvements
• Consent: For optional email marketing (you can opt-out anytime)
• Legal Obligation: Compliance with tax, accounting, and data protection laws

5. Data Sharing and Third Parties

We share your data only with trusted third-party service providers:

We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.

6. Data Retention

• Active Accounts: Retained while your account is active
• Search History: Retained for 12 months for analytics and service improvement
• Payment Records: Retained for 7 years for tax and accounting compliance (UK law)
• Deleted Accounts: Personal data deleted within 30 days of account deletion (except payment records required by law)

7. Your Data Protection Rights (UK GDPR)

You have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for optional processing (e.g., marketing)

To exercise these rights, email us at support@postcodai.com. We will respond within 30 days.

8. Cookies Policy

We use the following cookies:

• Essential Cookies: Session authentication (Clerk) - Required for service functionality
• Rate Limiting Cookies: Track your search count (30-day expiry) - Required to enforce fair use

You can disable cookies in your browser, but this may limit functionality (e.g., you'll be rate-limited by IP instead). We do not use advertising or tracking cookies.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

• HTTPS encryption for all data transmission
• Secure database with encrypted connections (PostgreSQL)
• Regular security updates and monitoring
• Access controls and authentication
• Third-party services are SOC 2 compliant and GDPR certified

While we take security seriously, no internet transmission is 100% secure. You use our service at your own risk.

10. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

11. International Data Transfers

Some of our service providers are based outside the UK/EU (e.g., Clerk, Anthropic in the USA). We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the UK ICO
• Privacy Shield certification (where applicable)
• GDPR compliance commitments from providers

12. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of our service after changes constitutes acceptance.

13. Complaints and Regulatory Authority

If you have concerns about how we handle your data, you have the right to lodge a complaint with the UK's supervisory authority:

14. Contact Us

For privacy-related questions or to exercise your rights, contact us: