Privacy Notice

DataDeal Technologies Ltd. is the data controller of the personal data described in this notice. We are incorporated in England and Wales and operate the platform from the United Kingdom. You can reach our data protection contact at datadeal50@co.uk.

We are not currently required to register a separate Data Protection Officer under Article 37 of the UK GDPR; the named contact above answers all data-protection enquiries.

We process the following categories of personal data:

• Account data — email address, hashed password, subscription tier, trial start date, Stripe customer ID, registration timestamp.
• Usage data — analyses run, listing URLs submitted, strategies viewed, saved deals, layer toggles on the Intelligence Map, all logged with a per-request correlation ID.
• Billing data — held by Stripe Payments UK Ltd. as the payment processor; we receive only the customer reference, subscription status and last-four of the payment card.
• Technical data — IP address (used for rate limiting and security only; not stored alongside account identifiers in logs), browser user-agent, language and time-zone offset.
• Analytics data (opt-in only) — anonymised event metadata via PostHog (EU region) and JavaScript error traces via Sentry (EU region). See section 5.

We do not knowingly collect special-category data (UK GDPR Art. 9) and do not run advertising profiling.

We rely on the following lawful bases under UK GDPR Article 6:

• Contract (Art. 6(1)(b)) for account data, usage data and billing data — processing is necessary to deliver the service you have subscribed to.
• Legitimate interests (Art. 6(1)(f)) for technical data used to keep the platform secure and to enforce rate limits.
• Consent (Art. 6(1)(a)) for analytics cookies and product analytics. You can withdraw consent at any time via the cookie preferences link in the footer.
• Legal obligation (Art. 6(1)(c)) where we retain accounting records under the Companies Act 2006 and tax records under HMRC rules.

• to register your account, authenticate logins and persist saved analyses;
• to run the strategy engine against the listing URLs and inputs you submit, and to return the result to your browser;
• to administer the subscription (Stripe Checkout, dunning, invoices in the Customer Portal);
• to monitor for abuse, enforce rate limits and protect the platform’s integrity;
• to send essential service emails (trial-ending notice, payment failure, security alerts);
• to improve the product through aggregated, anonymised analytics (subject to your consent).

We do not sell personal data and we do not share it with third parties for their own marketing purposes.

Essential cookies (login session, CSRF token, billing checkout) are always set because the platform cannot function without them. Analytics cookies (PostHog product analytics and Sentry error tracking, both EU-hosted) are only set after you click Accept analytics in the banner. The full breakdown is on the Cookie Policy page.

We do not run session recording, autocapture or behavioural advertising.

We use the following sub-processors:

• Hetzner Online GmbH (Germany) — primary infrastructure hosting (application, database, backups in transit to Cloudflare R2).
• Cloudflare Inc. — encrypted off-site backup storage (R2, EU region) and edge caching of static assets.
• Stripe Payments UK Ltd. — subscription billing and the customer-facing invoice portal.
• PostHog Inc. (EU region, Frankfurt) — opt-in product analytics.
• Functional Software Inc. (Sentry) (EU region, Frankfurt) — opt-in JavaScript error tracking.
• BetterStack — uptime and status-page service polling our public /health/readyendpoint; no user data is shared.

Each processor is bound by a data-processing agreement that requires equivalent technical and organisational measures and UK GDPR compliance. Personal data does not leave the EU/UK for routine processing.

• Account and saved analyses — kept for the life of the account; for thirty (30) days after cancellation to permit re-subscription; then deleted.
• Billing records — retained for six (6) years from the end of the relevant financial year to comply with HMRC record-keeping rules.
• Security and request logs — retained for ninety (90) days, with IP addresses pseudonymised after thirty (30) days.
• Database backups — encrypted snapshots held in Cloudflare R2 with a thirty (30) day retention window enforced by rclone delete --min-age 30d.
• Analytics events — retained according to the PostHog / Sentry defaults (twelve months for PostHog, ninety days for Sentry) and tied to a randomised distinct-id, not your email.

Under UK GDPR you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have data erased where the lawful basis no longer applies;
• restrict or object to processing;
• receive a portable copy of your data in machine-readable form;
• withdraw consent for analytics processing at any time.

To exercise any of these rights, email datadeal50@co.uk from the email address on your account. We respond within one calendar month. You can also lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk/make-a-complaint.

Passwords are hashed with bcrypt at cost factor 12. Access tokens are short-lived JWTs (15-minute access, 30-day refresh) stored in HttpOnly cookies marked Secure and SameSite=Lax. Traffic is served exclusively over HTTPS (TLS 1.2+) with HSTS for one year. The platform is protected by a Content Security Policy and per-endpoint rate limits. Backups are encrypted in transit and at rest. We test database restore on a recurring basis.

DataDeal is a B2B product and is not intended for, marketed to or used by anyone under 18. We do not knowingly process children’s personal data.

Routine processing happens within the United Kingdom and the European Economic Area. Where a sub-processor is established outside the UK/EEA (for example a parent group in the United States), transfers are governed by the UK International Data Transfer Addendum and the European Commission’s Standard Contractual Clauses.

We may update this notice from time to time. The version number and effective date at the top change with each revision. Material changes will be notified by email to the address on your account at least thirty (30) days in advance where practicable.