1. Introduction
WhereToSettle (“we”, “us”, “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what information we collect when you use the WhereToSettle service, how we use it, how long we keep it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We are the data controller for the purposes of this policy. Our service helps you explore neighbourhood data — crime statistics, schools, transport links — for any UK postcode or area. No account is required to use WhereToSettle.
By using WhereToSettle, you acknowledge that you have read and understood this policy. If you have any questions, please see the Contact Us section below.
2. What Data We Collect
We collect limited information that is necessary to provide the service:
- IP address — automatically collected with each request you make to our servers, as is standard for all web services. This is handled by our hosting provider, Vercel.
- Search queries — the postcodes and area names you enter into the search bar, used to return relevant neighbourhood data for your chosen location.
- Email address — collected when you create an account or sign in to WhereToSettle. Used solely for authentication and to associate your saved searches with your account. We do not use your email address for marketing without your explicit consent.
- Approximate location — if you choose to tap “Use my location”, your device uses its GPS or network geolocation to centre the map. This coordinates data is used momentarily within your browser session only and is never transmitted to or stored on our servers.
- Browser and device information — Mapbox, our map provider, may collect technical information about your browser and device as part of rendering interactive map tiles. This is governed by Mapbox's Privacy Policy.
We do not collect your name or any other directly identifying information beyond what is listed above. Your email address is only collected if you choose to create an account.
3. How We Use Your Data
We use the data we collect for the following purposes:
- To provide the WhereToSettle mapping service — fetching crime, school, and local authority data for your searched area;
- To cache API responses in our Supabase database, which improves performance and reduces unnecessary load on upstream public data sources;
- To monitor the reliability and performance of the service and diagnose any errors;
- To comply with applicable legal obligations.
The legal basis for processing your data is our legitimate interests under UK GDPR Article 6(1)(f) — specifically, our interest in providing a functional, reliable, and performant service. We have balanced this against your interests and fundamental rights, and we believe the processing does not override your rights given the limited and non-sensitive nature of the data involved.
4. Third-Party Services We Use
We rely on the following third-party services. Each operates under its own privacy policy and may process data as an independent controller or as our data processor:
Provides interactive map tiles and geocoding (converting place names and postcodes to coordinates). Mapbox may process your IP address and viewport information. Requests are made client-side.
Mapbox Privacy Policy ↗A UK Home Office open data API providing monthly crime statistics. All queries are made server-side; your IP address is not forwarded to this service.
data.police.uk ↗An open-source UK postcode resolution API. All queries are made server-side; your IP address is not forwarded to this service.
postcodes.io ↗Used as a server-side caching layer for API responses (crime data, school data). Servers are located in the EU/EEA. No personal data is intentionally stored in Supabase — only aggregated, anonymised API responses.
Supabase Privacy Policy ↗Our hosting and infrastructure provider. Vercel processes server access logs, which include IP addresses, as part of normal hosting operations.
Vercel Privacy Policy ↗6. Data Retention
- Cached crime and neighbourhood data — stored in our Supabase database for up to 30 days, after which it is automatically purged. This cache contains anonymised, aggregated data only — no personal data.
- Server access logs (including IP addresses) held by Vercel are retained in accordance with Vercel's own data retention schedule.
- Geolocation data from “Use my location” is used only within your browser session and is never stored on our servers.
- Search queries are used transiently to fetch data; we do not maintain a log of searches tied to individual users.
- Account data, including your email address and saved searches, is retained for as long as your account is active. You may request deletion of your account and all associated data at any time by contacting us.
If you do not create an account, no persistent record links your activity to your identity.
7. Your Rights Under UK GDPR
Under UK GDPR, you have the following rights in relation to your personal data. These rights are not absolute and are subject to certain exemptions.
- Right of access (Article 15) — you can request a copy of the personal data we hold about you.
- Right to erasure (Article 17) — you can request that we delete your personal data where it is no longer necessary for us to process it.
- Right to restriction of processing (Article 18) — you can ask us to restrict how we use your data while a complaint or query is being resolved.
- Right to data portability (Article 20) — where processing is based on your consent or a contract, you can receive your data in a structured, commonly used, machine-readable format.
- Right to object (Article 21) — you can object to processing carried out on the basis of legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
- Right to lodge a complaint — you have the right to complain to the UK's supervisory authority, the Information Commissioner's Office (ICO), if you believe we have not handled your data lawfully.
To exercise any of these rights, please contact us using the details in the Contact Us section. We will respond within one calendar month, as required by UK GDPR.
8. No Data Sold to Third Parties
We will never sell, rent, trade, or otherwise transfer your personal data to third parties for commercial purposes.
Data is shared only with the specific third-party service providers listed in Section 4, and only to the extent strictly necessary to deliver the WhereToSettle service to you.
9. Children
WhereToSettle is not directed at children under the age of 13. We do not knowingly collect or solicit personal data from children.
If you are a parent or guardian and believe that your child has provided us with personal data, please contact us immediately using the details below and we will take steps to delete that information.
10. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to raise a concern, please contact us:
We aim to respond to all requests within one month, in accordance with UK GDPR requirements.
11. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we do, we will revise the “Last updated” date at the top of this page.
We encourage you to review this policy periodically. Where changes are material, we will take reasonable steps to bring them to your attention. Continued use of WhereToSettle after any changes constitutes your acceptance of the updated policy.