Legal
Privacy Policy
Last updated: 28 April 2026
Operated by Planiverse Intelligence Ltd (Company No. 17159473) · hello@planiverse.uk
01Who we are
Planiverse (planiverse.uk) is a UK planning-intelligence service operated by Planiverse Intelligence Ltd, a company registered in England and Wales.
- Company registration number: 17159473
- Registered office: 128 City Road, London, EC1V 2NX, United Kingdom
- ICO registration number: ZC126236
- Privacy contact: hello@planiverse.uk
Planiverse Intelligence Ltd is the data controller for personal data processed through this site. We do not have, and are not required to appoint, a Data Protection Officer; the named privacy contact above is responsible for handling data-protection enquiries.
This policy explains what personal data we collect, why, what we do with it, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
02Information we collect
We collect the following categories of personal data:
- Account data — name, email address, professional role, optional company name, optional area of interest, password (stored as a bcrypt hash, never readable).
- Property and proposal data you enter — addresses you search, property descriptions, and project details. These are linked to your account when you generate a report or save a session.
- AI-advisor questions — the planning questions you type into the in-app advisor and the responses returned.
- Authentication and session data — session tokens, last-active timestamp, login history, password-reset and email-verification tokens.
- Payment records — when you purchase a report, the address and selected report type are stored against the Stripe transaction reference. Card details are never seen or stored by Planiverse — they are handled directly by Stripe (see §05).
- Email opt-ins and preferences — newsletter signups, waitlist entries, and unsubscribe state.
- Feedback, feature requests and votes — text you submit, linked to your account where you submitted it while signed in.
- Technical and usage data — page views, button interactions, search queries within the app, IP address (transient — not stored long-term against your account), and broad device/browser type.
We do not collect special category data (health, religion, ethnicity, etc.), and we have no need to.
03How we use your information
- To provide the service — authenticate your account, generate reports, return AI-advisor responses, deliver purchased reports, and send service emails (verification, password resets, receipts).
- To improve the product — understand which features are used, where errors occur, which pages drive engagement. We use this on an aggregated, non-marketing basis.
- To communicate with you — service announcements (security, billing, planned downtime) are sent regardless of marketing preferences. Product updates and new feature emails are sent only if you've opted in; you can unsubscribe at any time using the link in any marketing email.
- To detect and prevent abuse — rate-limiting, spam detection, account-takeover defence, and incident response.
- To meet legal obligations — accounting records (Companies Act, HMRC), responses to lawful information requests, and regulatory enquiries.
We do not sell your data, share it with advertisers, or use it for ad targeting.
04Lawful basis for processing
Under UK GDPR Article 6, we process personal data on the following bases:
- Contract (Art 6(1)(b)) — to deliver the service you signed up for: account management, report generation, AI advisor, payment processing.
- Legitimate interests (Art 6(1)(f)) — to operate, debug, secure and improve the product; to detect abuse; and to keep records for the duration of our customer relationship.
- Consent (Art 6(1)(a)) — for marketing emails (opt-in at signup, withdrawable at any time) and for analytics cookies (opt-in via the cookie banner, withdrawable at any time — see Cookie Policy).
- Legal obligation (Art 6(1)(c)) — for accounting, tax, and regulatory record-keeping.
You can withdraw any consent-based processing at any time without affecting the lawfulness of processing before withdrawal.
05Sub-processors and service providers
We do not sell your data, share it with advertisers, or use it for ad targeting. The providers below process data only on our instructions to deliver our service.
We rely on the following sub-processors. All are bound by data-processing agreements that comply with UK GDPR:
- Vercel Inc. (United States) — hosting, edge network, deployment platform. Processes all incoming requests, application logs, and serves static assets. Privacy policy.
- Supabase Inc. (project region: Ireland, eu-west-1) — managed Postgres database and object storage. Holds your account data, sessions, search history, AI-call logs (90-day retention), and report records. Privacy policy.
- Anthropic, PBC (United States) — the Claude API used to generate AI-advisor responses and report narratives. We send the planning question and relevant property data; we do not send your name or email to Anthropic. Anthropic processes API inputs and outputs under their commercial Data Processing Addendum and applies a 30-day input/output retention by default. Privacy policy.
- Resend Inc. (sending region: Ireland, EU) — transactional and marketing email delivery. Processes recipient email addresses, names, and email body content. Privacy policy.
- Stripe Payments UK Ltd (United Kingdom) — payment processing and fraud prevention (Stripe Radar). Card details are entered on Stripe's hosted checkout page and never reach our servers. We receive only the transaction reference, last 4 digits of the card (where Stripe surfaces it), and billing email. As part of fraud prevention, Stripe processes transaction data, device and browser information, and behavioural signals (Stripe Radar) under their own Data Processing Agreement and privacy policy. Privacy policy.
- Google LLC — Google Analytics 4 (United States) — anonymous usage analytics, loaded only after you accept analytics cookies. Privacy policy.
- Google LLC — Google Fonts (United States) — font CSS and font files served from
fonts.googleapis.com / fonts.gstatic.com on every page. Your browser's IP address is disclosed to Google when fonts load. Privacy policy.
- Mapbox Inc. (United States) — interactive map tiles and static map images on the homeowner report flow. Your browser fetches map tiles directly from Mapbox; Mapbox sees your IP address, the tile coordinates requested, and our access token. Privacy policy.
- Ideal Postcodes Ltd (United Kingdom) — address autocomplete and resolution against the Royal Mail Postcode Address File (PAF). We send your typed search and the selected address; Ideal Postcodes returns the structured address, postcode, UPRN and coordinates. Privacy policy.
- postcodes.io (United Kingdom — operated by Ideal Postcodes under contract with the Ministry of Housing, Communities and Local Government) — postcode and ward lookup using public ONS data. We send postcodes or coordinates only; no personal account data is sent.
06International transfers
Personal data is primarily stored on infrastructure located in the United Kingdom and the European Union. Some sub-processors are based in the United States, which means certain processing involves an international transfer of data outside the UK.
For each US-based sub-processor (Vercel, Anthropic, Google, Mapbox), we rely on:
- The UK International Data Transfer Agreement (UK IDTA), or the European Commission's Standard Contractual Clauses (SCCs) together with the UK Addendum, where applicable; and
- The provider's published security and contractual safeguards under the EU–US Data Privacy Framework where they are certified.
You can request a copy of the safeguards relied on for any specific transfer by emailing hello@planiverse.uk.
07Cookies and similar technologies
We use a small set of cookies and browser local-storage entries. Some are strictly necessary to operate the site (authentication); analytics are loaded only after you grant consent via the cookie banner.
Until you click "Accept" on the banner, no Google Analytics scripts are loaded and no analytics requests leave your browser. If you click "Decline" or close the banner, the analytics scripts never load on any page, on any visit, until you change that choice.
For the full list of cookies, what they do, and how long they last, see our Cookie Policy.
08Your rights
Under UK GDPR you have the following rights, free of charge:
- Access — request a copy of the personal data we hold about you (a Subject Access Request, or SAR).
- Rectification — correct inaccurate or incomplete data. You can update most account fields yourself in Account settings; for anything else, email us.
- Erasure ("right to be forgotten") — request deletion of your account and personal data. Some records (payment receipts, audit logs) are kept for legal and accounting reasons even after account closure — see §09.
- Restriction — ask us to limit how we process your data while a query is being resolved.
- Portability — receive a copy of the data you provided to us in a structured, machine-readable format (JSON or CSV).
- Object — object to processing based on legitimate interests, including direct marketing. You can also unsubscribe from any marketing email by clicking the link in the email footer.
- Withdraw consent — withdraw any consent you've given (cookie consent via the banner; marketing consent via unsubscribe or by emailing us).
- Complain to the ICO — see §15.
To exercise any right, email hello@planiverse.uk. We aim to respond within 30 days; we may extend this to 60 days for complex requests, in which case we'll tell you within the first 30 days. We may need to verify your identity before responding.
09How long we keep your data
- Account data — kept until you request deletion. Inactive accounts (no login for 36 months) are flagged for review and may be deleted after notice.
- Authentication tokens and sessions — expired sessions are purged daily. Password-reset tokens expire after 1 hour; email-verification tokens after 24 hours.
- AI-call logs (request and response bodies) — automatically deleted after 90 days by an enforced retention job. The metadata row in our database is deleted at the same time as the stored body.
- Search history and AI-advisor questions — kept for up to 24 months, then deleted or anonymised for product analytics.
- Generated PDF reports — kept for 90 days in our private storage, after which the file is deleted. The transaction record (address, date, type, payment reference) is kept for 6 years for accounting purposes; you can request a re-issued PDF during that period.
- Payment records and customer billing data — kept for 6 years from the end of the financial year in which the transaction occurred, in line with UK accounting and tax requirements (Companies Act 2006, HMRC).
- Email subscriptions and waitlist entries — kept until you unsubscribe, or 24 months of inactivity, whichever is sooner.
- Server logs — application and access logs are kept for up to 30 days, then rotated.
- Google Analytics data — held by Google for 14 months, the maximum we have configured.
10Security
- All connections are encrypted in transit using HTTPS / TLS 1.2+. Strict-Transport-Security (HSTS) is enforced.
- Passwords are hashed with bcrypt (cost factor 12). We never store, log, or have access to your plaintext password.
- Database access is restricted to authorised application servers via short-lived credentials. Row Level Security is enabled on all application-data tables.
- Secrets (API keys, database credentials) are stored as encrypted environment variables and rotated when staff change or on a periodic schedule.
- We log all AI-advisor and report-generation activity for security and quality review, with the 90-day retention described above.
- If we detect a personal data breach that risks your rights, we will notify the ICO within 72 hours and contact you directly without undue delay.
11Children
Planiverse is intended for property owners, professionals and businesses. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please email hello@planiverse.uk and we will delete it promptly.
12Automated decision-making
Planiverse uses AI to generate planning intelligence reports and to power the in-app advisor. These outputs are analytical and informational: they do not produce legal or similarly significant decisions about you as an individual, and they are clearly labelled as AI-generated.
We do not use automated decision-making (within the meaning of UK GDPR Article 22) for credit, eligibility, insurance, employment, or anything else that would have a legal or similarly significant effect on you.
13Where our data comes from
The personal data we hold about you comes from:
- You directly — what you enter at signup, in your account, in searches, in AI-advisor questions, and through forms on our site.
- Public planning data sources — we ingest planning application records from PlanIt.org.uk (which aggregates public local-authority data). These records are about planning decisions, not about you, and are treated as public-domain reference data.
- Address-resolution providers — when you select an address, Ideal Postcodes / postcodes.io return structured address details (UPRN, postcode, coordinates, ward) that we store against your search.
14Changes to this policy
We may update this policy to reflect changes to our service, our sub-processors, or our legal obligations. The "last updated" date at the top of this page always reflects the most recent revision. Material changes will be notified to registered users by email at least 14 days before they take effect.