Skip to main content

Legal

Privacy Policy

Last updated: 2026-05-25

1. Who is the data controller

Sitelad (operated by Chris Goodchild trading as Sitelad, based in England) is the data controller for personal data you provide via the Sitelad marketing site and admin. For data your customers submit through your tenant site (enquiries, bookings), you are the controller and Sitelad acts as a processor on your behalf.

2. How to contact us

For privacy questions or to exercise your rights, email privacy@sitelad.co.uk.

3. What we collect

  • Account data: email address (for magic-link sign-in), session cookies, and the user id Supabase assigns.
  • Tenant data: business name, address, phone, email, brand colours, logo, photos, opening hours, areas covered, the copy you write or accept.
  • Billing data: Stripe customer id and subscription metadata. Card details are held by Stripe — we never see them.
  • Marketing-site enquiries: name, email, and message submitted via the contact form.
  • Operational logs: request metadata (IP, user agent, timestamps) for security, debugging, and rate-limiting.

4. Legal bases

  • Contract: account, tenant, and billing data, processed so we can deliver the service you’ve subscribed to.
  • Legitimate interest: operational logs and abuse prevention. We balance our interest against your rights and keep the data short-lived where possible.
  • Consent: marketing emails (if any are added in future), where you explicitly opt in.

5. Retention

Account and tenant data are retained for as long as your subscription is active and for 30 days after cancellation to allow re-activation. After that we delete or anonymise the records. Billing records are retained for 6 years to meet UK tax law requirements.

6. Your rights

  • Access — request a copy of the data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data, subject to legal limits.
  • Data portability — ask for your data in a machine-readable format.
  • Objection / restriction — object to or restrict processing.
  • Complain to the ICO at ico.org.uk if you think we’ve mishandled your data.

7. Processors we use

  • Supabase (EU region) — database, auth, storage.
  • Stripe — payment processing.
  • Amazon Web Services (SES) — transactional email (booking confirmations, contact-form receipts).
  • Cloudflare — DNS, CDN, optional domain registration.
  • Vercel — application hosting.
  • Anthropic — AI copy generation during onboarding. The prompts we send describe the trade and area; we do not send customer enquiries to Anthropic.

8. International transfers

Our primary data store is in the EU. Some processors (e.g. Stripe, Amazon Web Services, Anthropic) may transfer data outside the UK/EU under Standard Contractual Clauses or equivalent safeguards. Details are in each processor’s own privacy notice.

9. Cookies

See our Cookie Policy. The marketing site uses only strictly-necessary cookies; no consent banner is shown at launch.

10. Changes

We will update this notice when our processing changes. Material changes will be notified by email to active customers at least 14 days before they take effect.