Privacy Policy

Last updated: 1 June 2026 · Effective: 1 June 2026

SiteReport is committed to protecting your personal data. This policy explains what data we collect, why we collect it, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.

1. Who We Are

SiteReport ("we", "us", "our") is the data controller responsible for your personal data. We operate the SiteReport platform accessible at sitereport-xi.vercel.app.

Contact: tonarth@gmail.com

2. Data We Collect

2.1 Account & Profile Data

  • First and last name
  • Email address
  • Company name and job title
  • Phone number (if provided)
  • Date and time of registration
  • Marketing consent preference
  • Timestamp of Terms acceptance (audit record)

2.2 Project & Report Data

  • Project names, site addresses, client names
  • Inspection dates and report content
  • Issue descriptions, severity ratings, photographs
  • Energy consumption data you enter

2.3 Technical Data

  • IP address and approximate location
  • Browser type and device information
  • Pages visited and features used (analytics)
  • Session cookies and authentication tokens

3. Legal Basis for Processing

We process your data on the following legal bases under UK GDPR Article 6:

  • Contract (Art. 6(1)(b)): Processing necessary to provide the SiteReport service you signed up for.
  • Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, service improvement, and technical operations.
  • Consent (Art. 6(1)(a)): Marketing emails — only if you opted in. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): Where required by law.

4. How We Use Your Data

  • To create and manage your account and authenticate you securely
  • To provide, operate and improve the SiteReport platform
  • To store and display your inspection projects and reports
  • To send transactional emails (account confirmation, password reset)
  • To send marketing emails, only if you consented
  • To comply with legal obligations
  • To detect and prevent fraud, abuse, or security incidents

5. Data Sharing & Third Parties

We do not sell your personal data. We share data only with trusted processors under contractual data processing agreements:

  • Supabase Inc. — authentication, database and file storage (EU region)
  • Vercel Inc. — hosting and content delivery (EU region available)
  • Google LLC — address autocomplete via Google Places API (address input data only; no personal account data sent)

All processors are required to handle data in compliance with UK GDPR.

6. International Transfers

Where data is processed outside the UK or EEA, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) or UK Adequacy Regulations. Supabase stores data in EU data centres. Vercel uses EU regions for SiteReport deployments.

7. Data Retention

  • Account data: Retained for the duration of your account plus 2 years after deletion for legal/audit purposes.
  • Project & report data: Retained while your account is active. Deleted within 30 days of account deletion.
  • Photographs: Retained as part of project data. Deleted with the project.
  • Logs & technical data: Retained for up to 90 days for security purposes.
  • Marketing consent records: Retained for 7 years as a legal audit record even after withdrawal.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — request a copy of all data we hold about you
  • Right to rectification — correct inaccurate or incomplete data
  • Right to erasure — request deletion of your data ("right to be forgotten")
  • Right to restriction — ask us to limit how we use your data
  • Right to data portability — receive your data in a machine-readable format
  • Right to object — object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent — withdraw marketing consent at any time without affecting past processing

To exercise any right, email us at tonarth@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies

We use essential cookies for authentication and session management, and optional analytics cookies. See our Cookie Policy for full details.

10. Security

We implement appropriate technical and organisational measures to protect your data, including encrypted data transmission (TLS), bcrypt-hashed passwords (via Supabase Auth), row-level security policies in the database, and regular security reviews.

11. Children

SiteReport is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us data, please contact us immediately.

12. Changes to This Policy

We may update this policy periodically. Material changes will be notified by email or by a prominent notice in the app. The "Last updated" date at the top reflects the most recent revision.

13. Contact

For any privacy-related questions or to exercise your rights:

SiteReport
Email: tonarth@gmail.com
Website: sitereport-xi.vercel.app