Privacy Policy

Last updated: 17 May 2026

Who we are. GDPR Radar is operated by Data Norfolk Ltd, a company registered in England and Wales. Our registered office is at [REGISTERED OFFICE ADDRESS]. ICO registration number: [ICO REGISTRATION NUMBER]. Contact us at privacy@gdprradar.co.uk.

1. What we collect and why

We collect the minimum data needed to run the service.

Your email address — when you join the waitlist or create an account. We send you a magic link to sign in; no password is ever stored.
URLs you submit for scanning — each URL is fetched and analysed by our scanner. We store the URL, the scan results, and your risk score so you can view your history.
Billing data — if you subscribe to Pro or Agency, Stripe processes your payment. We store your Stripe customer ID and subscription status; we never see or store your card number.
Usage logs — standard server logs (timestamp, IP address, HTTP method, response code). Retained for 30 days for security purposes.

2. Legal basis

Under UK GDPR, we process your data under the following bases:

Contract (Article 6(1)(b)) — processing your email and scan data is necessary to provide the service you signed up for.
Legitimate interests (Article 6(1)(f)) — server logging for security and fraud prevention.
Consent (Article 6(1)(a)) — marketing emails, if you opt in.

3. Where your data is stored

Your account data and scan results are stored in Supabase, hosted in the EU West (London) region. This means your data stays within the UK and EU. Stripe (US-based) stores your billing data under Standard Contractual Clauses.

4. How long we keep it

Account data and scan history — while your account is active, plus 30 days after deletion
Billing records — 7 years (UK tax law requirement)
Server logs — 30 days
Waitlist emails — until launch, or until you unsubscribe, whichever comes first

5. Who we share data with

We do not sell your data. We share it only with:

Supabase — our database and authentication provider (EU region)
Stripe — payment processing, under UK GDPR Standard Contractual Clauses
Law enforcement — if required by UK law or a valid court order

No third-party advertising networks receive your data.

6. Cookies

The GDPR Radar marketing pages (gdprradar.co.uk) set no cookies. When you are signed in to the app, one session cookie keeps you logged in. We load fonts from Google Fonts — see our Cookie Policy for details.

7. Your rights under UK GDPR

You have the right to:

Access the personal data we hold about you
Correct inaccurate data
Delete your account and associated data
Export your scan history in machine-readable format
Object to processing based on legitimate interests
Withdraw consent for marketing at any time

Email privacy@gdprradar.co.uk to exercise any of these rights. We will respond within 30 days. If you are unhappy with our response, you can complain to the ICO.

8. Security

All traffic is encrypted via TLS. Database access requires authentication. We run row-level security so your data is only accessible to your account. We do not store passwords — authentication is via email magic links only.

9. Changes to this policy

If we make material changes, we will email registered users before the changes take effect. The "last updated" date at the top of this page reflects the most recent revision.

10. Contact

Data Norfolk Ltd
[REGISTERED OFFICE ADDRESS]
privacy@gdprradar.co.uk