GotAPal — Privacy Policy (DRAFT)

Effective date: [to set on launch]

Controller: Towpath Digital Ltd, registered in England no. 16913912, registered office [address] ("Towpath", "we", "us").

Service: GotAPal directory at gotapal.com and related domains.

ICO registration: [ICO no. once registered].

DPO contact: privacy@gotapal.com (currently routes to the Towpath data protection lead).

Draft. Final requires UK lawyer + ICO-registration step.

---

What we want you to know in one paragraph

GotAPal is a directory of UK local businesses. We get most of our data from the public Companies House register — name, registered address, SIC code, company number, status. When a business owner ("Pal") claims their listing, they tell us their own contact details and add content. When a customer enquires through us, we forward their enquiry to the Pal. We don't sell your personal data and we don't run third-party ad networks on the site. We do use a small number of standard tools (Stripe for payments, Resend for email, GA4 for analytics) — listed below.

1. The data we collect

a. Business directory data

Sourced from Companies House BasicCompanyData under Open Government Licence v3.0:

• Business name, registered address (city + postcode + first address line), Companies House number, SIC codes, status (active/dissolved).
• We do *not* publish officer (director) names, dates of birth or correspondence addresses on listing pages, even though Companies House publishes them.

b. Data Pals give us when they claim

• Name, email, phone (optional but recommended).
• Business description, services, hours, photos, social links.
• Payment method via Stripe (Stripe holds the card; we only see last 4 digits, brand, country).

c. Data customers give us when they enquire

• Name, email, phone (optional), postcode (helps the Pal estimate).
• The enquiry text.

d. Data we collect automatically

• Standard server logs (IP, user agent, requested URL, timestamp) — retained 30 days.
• Cookies — see section 6.
• Google Analytics 4 measurement events if you consented to analytics cookies.

e. Data we do *not* collect

• Bank account or full card numbers (Stripe handles).
• Special-category data (health, religion, sexuality, politics) — there is no legitimate reason for GotAPal to hold any.
• Children's data — GotAPal is not aimed at under-18s.

2. Legal basis (UK GDPR Article 6)

For each processing activity:

What	Basis
Republishing CH business data on the public directory	Legitimate interests (Art. 6(1)(f)) — running a UK business directory that's already public information under OGL
Processing a Pal's claim and account data	Contract performance (Art. 6(1)(b))
Sending payment receipts and service emails	Contract performance + legitimate interests
Cold-emailing unclaimed-listing addresses (one-shot, PECR-compliant)	Legitimate interests (B2B contact); soft-opt-in does not apply
GA4 analytics + non-essential cookies	Consent (Art. 6(1)(a)) — only if you've agreed
Customer enquiries forwarded to Pals	Contract performance + your explicit choice to contact the Pal

3. Sharing your data

We share data with:

• Stripe (payment processing — Ireland; standard contractual clauses for transfers).
• Resend (transactional email — EU/US; SCCs).
• Supabase (database hosting — EU/US; SCCs).
• Krystal (UK hosting for our origin servers — UK).
• Cloudflare (DNS, CDN, anti-abuse — global; SCCs).
• Google Analytics 4 if you've consented to analytics cookies.

We don't sell your personal data. We don't allow third parties to advertise to you on our site. We don't share your enquiry-text or claim-content with any party other than the Pal you sent it to.

If we ever change a sub-processor, we'll update this page; material changes get 30 days' notice to registered Pals.

4. How long we keep your data

Type	Retention
Public CH directory data	While the company is "active" on the CH register, plus 12 months
Claimed listing content	Until the Pal asks us to remove it or the business dissolves
Account email/phone for a claimed Pal	Duration of account + 6 years after closure (HMRC tax records minimum)
Customer enquiries	12 months after sending, then anonymised aggregates only
Payment records	6 years (HMRC requirement)
Server logs	30 days
GA4 events	14 months
Marketing/cold-email "do not contact" list	Forever (so we don't re-email)

5. Your rights

Under UK GDPR you have the right to:

1. Access the data we hold about you.
2. Rectification of inaccurate data.
3. Erasure ("right to be forgotten") — note: business directory entries from CH open data can be removed under clause 9 of our Terms but the underlying CH record remains public.
4. Restriction of processing while we sort something out.
5. Portability — a machine-readable export of data you've given us.
6. Objection to processing based on legitimate interests, especially direct marketing.
7. Withdraw consent at any time (cookies, marketing emails) — equally easily as you gave it.
8. Complain to the ICO at ico.org.uk if you think we've handled your data badly. We'd rather you came to us first — we'll fix it faster — but you don't have to.

Exercise any of these rights by emailing privacy@gotapal.com. We'll respond within 30 days (one month is the legal maximum; we aim for 7 working days in practice).

6. Cookies

We use:

Cookie	Purpose	Type	Required?
__session	Auth (keeps you logged in)	Strictly necessary	Yes
csrf	Protect against forged submissions	Strictly necessary	Yes
consent	Remembers your cookie choices	Strictly necessary	Yes
_ga, _ga_*	Google Analytics 4	Analytics	Only if you accept
cf_*	Cloudflare anti-abuse	Strictly necessary	Yes

We do not use advertising cookies and we don't share cookie data with ad networks.

Our cookie banner defaults to "essential only" — analytics requires explicit opt-in.

7. Children

GotAPal is not aimed at under-18s. We don't knowingly collect data from anyone under 13. If you think a child has provided us data, email privacy@gotapal.com and we'll remove it.

8. International transfers

Some of our sub-processors (Stripe, Resend, Supabase, Google) may store data in the US. Where they do, we rely on:

• The UK's data adequacy decision for the EU (for EU sub-processors).
• Standard Contractual Clauses + supplementary measures for US sub-processors.

We don't transfer data to countries without an adequacy decision unless one of the above safeguards is in place.

9. Security

We hold data in encrypted databases. Access is restricted to staff who need it for their job. Payment-card data never touches our servers — Stripe handles it. We have a disclosed-by-default approach to breaches: we'll tell you within 72 hours of becoming aware, even before the ICO requires it.

10. Changes to this policy

Material changes get 30 days' notice to registered Pals by email. Minor wording fixes happen here without notice. The "Effective date" at the top is always current.

11. Contact

• Email: privacy@gotapal.com
• Operator: Towpath Digital Ltd, [address], company no. 16913912
• ICO ref: [once registered]

---

*Draft for review. Reviewer to confirm: ICO registration done; PECR compliance for the cold-email flow; SCCs in place with all named sub-processors.*