Last updated: [DATE]. This explains what personal data we collect, why, and what rights you have — whether you're a registered user of this service, or a director whose details appear on it because they're on the public Companies House register.
⚠️ Placeholder fields in this document (company number, registered address, ICO registration number, contact email) still need filling in before this is used for real — tracked in PRELAUNCH_CHECKLIST.md in the project folder. Do not launch to real customers until that checklist is complete.
This service is operated by Whittaker IT Limited, a company registered in England & Wales under company number 15872445, registered office at [REGISTERED ADDRESS] ("we", "us"). We are the data controller for the personal data described below. Our ICO registration reference is [PENDING — ICO REGISTRATION NOT YET COMPLETE].
For any privacy question or request, contact us at [PRIVACY CONTACT EMAIL] or via our Contact Us page.
We handle two distinct categories of personal data, and different rules apply to each:
A. Your account data — if you sign up to use this service, we collect your email address, a securely hashed password, your company name (optional), and the search settings you configure (home postcode, radius, industry preferences). You gave us this data directly.
B. Company and director data from the public register — we pull company names, registered addresses, incorporation dates, SIC codes, and officer/director details (name, role, appointment date, nationality, occupation, and month/year of birth — never the full date) from Companies House's public register. If you're a director of a company that appears in our system, we did not collect this from you directly — it comes from the public record Companies House itself publishes.
For account data, our legal basis is performance of a contract (providing you the service you signed up for) and legitimate interests (improving and securing the service).
For company and director data sourced from the public register, our legal basis is legitimate interests (Article 6(1)(f) UK GDPR): enabling business-to-business outreach using information that is already, by law, on the public record — the same basis Companies House itself relies on in publishing it. We only use this data for the purpose it's already public for (transparency about who controls and runs UK companies), and we do not add sensitive categories of data, combine it with data from other sources, or use it to build profiles beyond what's already visible on the public register.
UK GDPR requires us to tell individuals when we obtain their data from a source other than themselves (Article 14), unless doing so individually would involve disproportionate effort — which applies here, since we have no way to contact the thousands of directors whose public register entries pass through our system. Instead, we meet this requirement by publishing this notice, and by acting promptly on any request from an affected individual.
If you're a director and want your details removed from our system, contact us at [PRIVACY CONTACT EMAIL] with your name and company number, and we will remove them. Note that we cannot remove your details from the Companies House register itself — only from our own copy of it.
We share data with the following processors, only as needed to run the service:
Companies House (source of company/director data) · postcodes.io (converts postcodes to coordinates for distance calculations) · our hosting provider (stores the database) · our email provider (sends support form replies, and any email alerts you opt into).
We do not sell personal data to anyone, and we do not share it with advertisers.
Account data is kept while your account is active, and for a reasonable period afterwards in case you wish to reactivate it, after which it's deleted. Company and director data from the public register is kept for as long as it remains useful for the service's purpose, and is refreshed periodically to reflect the current public record.
Under UK GDPR you have the right to access the personal data we hold about you, correct it, request its deletion, restrict or object to our processing of it, and receive a copy in a portable format. Account holders can access and delete their own data directly from the Account page. Anyone — account holder or not — can contact us at [PRIVACY CONTACT EMAIL] to exercise these rights, and can complain to the Information Commissioner's Office if unsatisfied with our response.
We use a single strictly-necessary session cookie to keep you logged in. We don't use analytics, tracking, or marketing cookies, so no cookie consent banner is required under PECR.
This service is intended for business use by adults. We don't knowingly collect data from anyone under 18.
We'll update the date at the top of this page if this policy changes, and post the updated version here.