Navigated to /en/legal/privacy.

Skip to content
Get listed

Legal

Privacy Policy

Last updated: [DATE]

Effective date: [DATE]

This is a substantive working draft based on UK GDPR and standard SaaS and marketplace practice as of early 2026. It is not legal advice and should be reviewed by a UK startup solicitor before publication.

Publish checklist

  • Replace all bracketed placeholders before publishing.
  • Complete ICO registration and replace the pending ICO placeholder before go-live.
  • Confirm current processor list and signed DPAs before publishing.
  • Have a UK startup solicitor review the special category data, training consent, and provider warranty clauses.

1. Who We Are

Receipts is operated by [COMPANY LEGAL NAME], registered in England and Wales (Company No. [COMPANY NUMBER]), with registered address at [REGISTERED ADDRESS].

We are the data controller for personal data processed through the Platform. Contact for privacy matters: [PRIVACY EMAIL]. ICO Registration No. [PENDING ICO REGISTRATION].

2. What This Policy Covers

This policy explains what personal data we collect, why we collect it, how we use it, and your rights. It applies to anonymous visitors, registered users, and registered providers.

3. Data We Collect

Anonymous users

We process uploaded images to run style search, text queries or image hashes to return results, and IP, browser, and session data for security, fraud prevention, and analytics.

Anonymous search uploads are not linked to an identity, are not retained beyond the search session unless you create an account, and are never used in AI training datasets.

Registered users

We process account details, authentication provider data, uploaded images, tag confirmations or rejections, search behaviour, consent records, and device or session data.

Registered providers

We additionally process business name, location, contact details, portfolio media, provider type, and service categories to display provider profiles and power matching.

4. Special Category Data

Uploaded images may contain special category data under UK GDPR Article 9, including data revealing racial or ethnic origin, or biometric data where used for uniquely identifying a person.

We do not use facial recognition to identify individuals. Our AI analysis is directed at service characteristics such as hair texture, colour, and technique, not personal identity.

Where uploaded images contain facial or other biometric features, we process them only as necessary to deliver the requested search, review, or portfolio functionality. For anonymous search uploads, we do not link image content to any identity.

Our stated legal basis for special category processing is explicit consent under Article 9(2)(a), collected through the upload notice or account onboarding journey.

5. Legal Bases

  • Delivering search results: legitimate interests.
  • Account management: contract performance.
  • Displaying reviews and portfolio content: contract performance and legitimate interests.
  • AI tag suggestions and consensus scoring: legitimate interests.
  • Training data use: explicit consent.
  • Security and fraud prevention: legitimate interests.
  • Analytics: consent for browser analytics cookies; legitimate interests for aggregate internal reporting once data is anonymised.
  • Marketing communications: consent.
  • Legal compliance: legal obligation.

6. AI Analysis and Tag Consensus

When you upload media, our AI systems analyse visual characteristics to suggest tags such as service type, technique, or colour. This processing is automated.

Your confirmations, rejections, or edits contribute to the consensus model, influence provider trust scores and ranking, and may be included in anonymised training datasets only if you have opted into training.

We do not make solely automated decisions with legal or similarly significant effects on users.

7. Search Feedback and Ranking Signals

For registered users, clicks, saves, and booking-intent signals may be recorded as anonymised behaviour data to improve ranking quality. These signals are not used for individual advertising profiles.

8. How We Share Your Data

We do not sell personal data.

  • Cloud infrastructure and storage providers.
  • Authentication providers where you use social or OAuth login.
  • Analytics: PostHog.
  • Error monitoring: Sentry.
  • Search acceleration: Not currently used. Algolia has been removed from the stack.
  • Legal, regulatory, and business transfer recipients where required.

9. AI Training Data

AI training data use applies only to registered users who have explicitly opted in. Anonymous users: never. Registered users without training opt-in: never.

Training data may include uploaded images, associated tag confirmations or rejections, and service-category metadata.

Training data does not include your name, email, or direct account identity. Dataset builds are immutable versioned snapshots. If you withdraw consent, your data is excluded from future builds, though technical removal from completed versions may not be feasible.

Anonymised and de-identified training datasets may be licensed to third parties for machine-learning purposes.

10. Data Retention

  • Anonymous search uploads: session only.
  • Account data: duration of account plus 12 months.
  • Review and portfolio media: duration of account plus 12 months, or until takedown.
  • Tag confirmation and rejection events: duration of account plus 24 months, then anonymised.
  • AI consensus aggregate data: indefinite where anonymised.
  • Training dataset versions: indefinite once versioned and anonymised.
  • Search behaviour signals: 24 months rolling, then anonymised.
  • Idempotency and audit logs: 90 days.

11. Your Rights

Under UK GDPR, you may request access, rectification, erasure, restriction, portability, objection to legitimate-interests processing, withdrawal of consent, and human review of any qualifying solely automated decision.

To exercise these rights, contact [PRIVACY EMAIL]. We will respond within one calendar month.

12. Complaints

You have the right to complain to the Information Commissioner's Office at ico.org.uk or on 0303 123 1113. We would appreciate the opportunity to address concerns first via [PRIVACY EMAIL].

13. International Transfers

We primarily process data within the UK and EEA. Where data is transferred outside those regions, we rely on appropriate safeguards such as the UK IDTA or equivalent standard contractual clauses.

14. Cookies and Tracking

  • Session management cookies: essential.
  • Analytics cookies: PostHog, only after you accept analytics.
  • Feature-flag cookies: essential.
  • No advertising cookies or third-party ad tracking cookies.

Analytics starts disabled by default. If you accept analytics, we collect full product analytics through PostHog. If you reject analytics, we limit collection to anonymous aggregate product measurement, do not create person profiles, and do not run session replay. Cookie preferences can be managed through the Platform footer or browser settings. Blocking essential cookies will affect functionality.

See our Cookie Policy for the current cookie inventory and durations.

15. Children

The Platform is not directed at individuals under 18 and we do not knowingly collect personal data from children.

16. Changes to This Policy

We will notify registered users by email and post an updated version with a revised effective date when material changes are made. Continued use after the effective date constitutes acceptance.

17. Contact

[COMPANY LEGAL NAME]

[REGISTERED ADDRESS]

[PRIVACY EMAIL]

ICO Registration No. [PENDING ICO REGISTRATION]