Privacy Policy
Last updated: 8 June 2026
1. Who We Are
District Contracts Ltd (“we”, “us”, “our”) is the data controller for personal data processed through districtcontracts.com. We are registered with the Information Commissioner's Office (ICO); our registration number is [ICO REGISTRATION NUMBER — add once registered].
For all data protection queries: general@districtcontracts.com
2. The Two Types of People Whose Data We Process
Our service involves personal data relating to two distinct groups of people, and we want to be transparent about both:
- Subscribers — tradespeople who register and pay for our service. You gave us your data directly.
- Planning applicants — individuals whose names and addresses appear in planning applications published by UK councils. You did not interact with us directly; we obtained your data from public council planning portals. Section 4 below is specifically for you.
3. Data We Collect About Subscribers
| Data | Purpose | Legal basis |
|---|---|---|
| Full name & business name | Account creation; personalising digests | Contract |
| Email address | Account login; sending job alert emails | Contract |
| Postcode + radius preference | Geospatial filtering of planning applications | Contract |
| Trade types | Matching applications to your skills | Contract |
| Payment data | Processed by Stripe — we never store card numbers | Contract |
| Subscription tier & status | Feature access control; billing | Contract |
| Alert preferences | Controlling frequency and type of emails sent | Contract |
| Usage & access logs | Security, fraud prevention, abuse prevention | Legitimate interests |
| Saved jobs & pipeline data | Providing the CRM feature you use | Contract |
4. Planning Application Data — Including Applicant Names
We search UK council planning portals nightly and store the publicly available application records. These records are published by local authorities under their statutory obligations (Town and Country Planning Act 1990) and are made available under the Open Government Licence (OGL).
What applicant data we hold
- Property address (as published on the council portal)
- Applicant name (where published — often a company name, sometimes an individual)
- Agent / architect name (where published)
- Application description, type, status, and reference number
Legal basis — Legitimate Interests
Our legal basis for processing this data is Legitimate Interests (Article 6(1)(f) UK GDPR). We have conducted a Legitimate Interest Assessment (LIA) and concluded that our interest in operating a commercial planning intelligence service is not overridden by the interests or fundamental rights of applicants, for the following reasons:
- The data is already public — councils are legally required to publish it, and it appears on publicly searchable portals.
- We process it for a compatible purpose: connecting UK tradespeople with work opportunities, not for marketing to or profiling of applicants.
- We do not combine applicant data with other sources or use it to make decisions that affect applicants.
- Planning applicant data is retained for no more than 12 months, after which it is automatically purged.
If you are a planning applicant
You have the right to object to our processing of your data under Article 21 UK GDPR. Email general@districtcontracts.com with your name, property address, and the council reference number. We will remove your application data from our platform within 30 days. Note that the data will remain on the original council portal, over which we have no control.
5. Automated Processing
We use a rule-based enrichment engine to automatically process planning application descriptions. This generates plain-English summaries, trade relevance scores, and timing recommendations. These are presented to subscribers as interpretive aids — they are not official council interpretations and should not be relied upon without verification (see Terms of Service, Section 5).
This automated processing does not produce decisions with legal or similarly significant effects on planning applicants. Article 22 UK GDPR (rights regarding solely automated decisions) does not apply to this processing.
6. Data Processors — Who We Share Data With
We do not sell personal data. We share it only with the following processors, each of whom acts under a Data Processing Agreement:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Hosted database & authentication | EU (Frankfurt) / US |
| Stripe | Payment processing & billing | US (SCCs in place) |
| Resend | Transactional email delivery | US (SCCs in place) |
| Vercel | Application hosting & edge functions | EU / US (SCCs in place) |
7. International Transfers
Stripe, Resend, and Vercel are based in the United States. We transfer data to them under the UK's International Data Transfer Agreements (IDTAs) / Standard Contractual Clauses (SCCs), which provide equivalent protections to those required under UK GDPR. Supabase offers EU-region hosting and we use this where available.
8. Data Retention
| Data type | Retention period |
|---|---|
| Subscriber account data | Duration of account + 90 days post-deletion (for dispute resolution) |
| Planning application data (incl. applicant names) | Maximum 12 months, then automatically purged |
| Email delivery logs | 90 days |
| Payment records | 7 years (HMRC requirement) |
| Access & security logs | 90 days |
| Saved pipeline jobs | Until the subscriber deletes them or their account is closed |
9. Your Rights (Subscribers)
Under UK GDPR, subscribers have the right to:
- Access — request a copy of all data we hold about you.
- Rectification — correct any inaccurate data.
- Erasure — request deletion of your account and associated data (subject to legal retention obligations).
- Portability — receive your data in a machine-readable format.
- Object — object to processing based on legitimate interests.
- Restrict — request we limit processing in certain circumstances.
To exercise any right, email general@districtcontracts.com with your name and account email. We will respond within 30 days (extendable to 90 days for complex requests, with notice).
10. Cookies
We use only strictly necessary cookies: Supabase session tokens required to keep you logged in. We do not use analytics, advertising, or tracking cookies. Under PECR, no consent banner is required for strictly necessary cookies.
11. Changes to This Policy
We will notify registered subscribers by email of material changes at least 14 days before they take effect. The “last updated” date at the top of this page reflects the most recent revision.
12. Complaints
If you are unhappy with how we have handled your data, please contact us first at general@districtcontracts.com. You also have the right to lodge a complaint directly with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.