Privacy Policy

We keep data collection to a minimum. This page explains what we collect, why we collect it, how long we keep it, how we secure it, and the rights you have under UK GDPR. If anything is unclear, contact us.

Controller: Saltaire Guide
Jurisdiction: UK GDPR
Last reviewed: 2026-04-11

Quick links

What we collect
Lawful bases
Local services leads
How long we keep data
Journalism & public interest
Processors & transfers
Cookies & analytics
Your rights
Contact us

See also: Editorial policy, Corrections, About.

Who we are

Saltaire Guide ("we", "us") operates saltaireguide.uk. We're an independent, local guide to Saltaire. For privacy enquiries, email hello@saltaireguide.uk.

Data controller

Organisation: Saltaire Guide
Website: https://saltaireguide.uk
Email: hello@saltaireguide.uk
Jurisdiction: United Kingdom (UK GDPR & Data Protection Act 2018)

How to contact us

Corrections & accuracy: Email subject "Privacy: correction" if a page contains personal data or inaccuracies about you.
Data requests: Email subject "Privacy: request" to access, rectify, delete or restrict processing of your data.
Complaints: If unresolved, you can complain to the UK ICO. We prefer to resolve issues directly first.

What data we collect (and why)

We collect the minimum needed to run a helpful, safe website. We do not sell your data, run third-party advertising scripts, or buy personal information from brokers.

Contact details (you provide)

Examples: Name, email, message content
Purpose: Reply to your query; verify tips/corrections
Lawful basis: Consent; Legitimate interests

Technical logs (automatic)

Examples: IP (truncated/hashed), user-agent, URL, timestamp
Purpose: Security, abuse prevention, debugging
Lawful basis: Legitimate interests

Analytics (aggregated)

Examples: Page views, referrers, device categories
Purpose: Understand what's useful, fix UX issues
Lawful basis: Consent / Legitimate interests

Email newsletter (optional)

Examples: Email address, opt-in timestamp
Purpose: Send updates and service emails
Lawful basis: Consent

User contributions

Examples: Tips, route corrections, photos
Purpose: Editorial verification and publication
Lawful basis: Consent; Legitimate interests

Local services lead submissions

Examples: Name, phone, email, postcode, job description, budget, property type, photos, notes
Purpose: Matching you with a local tradesperson we know
Lawful basis: Consent (recorded at submission)

Category	Examples	Purpose	Lawful basis (UK GDPR)
Contact details (you provide)	Name, email, message content	Reply to your query; verify tips/corrections; manage media permissions	Consent; Legitimate interests (running a responsive local guide)
Technical logs (automatic)	IP (truncated/hashed where possible), user-agent, URL, timestamp, error traces	Security, abuse prevention, debugging, service reliability	Legitimate interests (security & operations)
Analytics (aggregated)	Page views, referrers, device categories, approximate location (city/region)	Understand what's useful, fix UX issues, plan content	Consent where required; otherwise Legitimate interests (low-risk, privacy-respecting analytics)
Email newsletter (optional)	Email address, opt-in timestamp	Send "The Saltaire Weekend" and essential service updates	Consent (you can unsubscribe anytime)
User contributions	Tips, route corrections, photos you send us	Editorial verification and publication decisions	Consent; Legitimate interests (publishing a community resource)
Account data	Email address, account identifier, magic-link tokens, sign-in timestamps, device and IP associated with sign-in, saved listings and preferences	Creating and securing your account, letting you save listings, community posting, claiming a business listing, abuse prevention	Contract (performance of the account service); Legitimate interests (account security and fraud prevention)
Payment data (business listings)	Handled by Stripe (card details never touch our servers). We see: transaction ID, amount, currency, billing country, product purchased, email, limited card metadata (last four / brand / expiry)	Processing and recording payment for featured listings and other commercial services; accounting and tax records	Contract; Legal obligation (accounting and tax)
Reader submissions and accounts of third-party experiences	Name (if given), email or contact method, the story or review itself, information about the business or individual mentioned, any supporting evidence you attach, whether you asked us to publish anonymously	Editorial triage, fact-checking where possible, publication decisions, offering a right of reply where appropriate, retaining a record for legal defence	Consent (from you, the submitter); Legitimate interests (public interest journalism under UK GDPR Article 6(1)(f) and the journalistic exemption — see below)
Local services lead submissions	Name, phone number, email, postcode, property type, ownership, job type and description, urgency, rough budget band, preferred contact method and time, free-text notes, any photos you attach, a hashed form of your phone number (for deduplication), the timestamp and version of the consent you gave, and the IP address the submission came from	Matching you with a local tradesperson we know personally, replying to your submission, defending our editorial decisions, preventing abuse of the form	Consent (recorded at the point of submission, version-stamped); Legitimate interests (running the match-making service and keeping it free from abuse)

Special category data

We don't seek special category data (e.g., health, beliefs). If such details are included in your message, we'll delete or redact them unless strictly necessary to handle your request (e.g., accessibility feedback).

Local services lead submissions (the consult form)

On our local services pages (plumbers, electricians, roofers and so on) we host a short “consult” form. You answer a few questions about the job, we show you a personalised action plan, and at the end you can ask us to put you in touch with a local tradesperson. If you do, the information you have given us is transferred from us to that one tradesperson. This section explains exactly what happens and what your rights are.

What we collect at submission

See the “Local services lead submissions” row of the data table above for the full list. In short: your contact details, your postcode, some context about your property and the job, your rough budget band, your preferred way and time of being contacted, free-text notes you write, a one-way hash of your phone number that we use purely for deduplication and abuse prevention, the timestamp of your consent, the version of this privacy policy you consented to, and the IP address your submission came from.

Lawful basis

We rely on your consent under Article 6(1)(a) of the UK GDPR for passing your details to a tradesperson. The consent box is unticked by default, the language is specific to this purpose, and we record when you gave consent and which version of this policy was in force at the time. You can withdraw consent at any time by emailing hello@saltaireguide.uk with “Withdraw lead consent” in the subject. Withdrawing consent does not affect the lawfulness of anything we did with your data before you withdrew.

We also rely on legitimate interests under Article 6(1)(f) for the narrower task of keeping the form free from abuse — specifically: hashing your phone number to detect repeat submissions, storing your IP address to enforce a simple rate limit, and using Cloudflare Turnstile to block automated bots.

Who we pass your details to

We do not sell your details, we do not run a lead marketplace, and we do not share your details with a list of tradespeople who then fight over you. What we actually do is look at your submission, and — if we know one local tradesperson we trust who is a good fit for your job — pass your details to that one person so they can contact you. If we do not know anyone suitable, we tell you so and your details go no further than our own inbox.

Tradespeople we match you with are independent businesses, not our employees or contractors. Once we pass your details on, that tradesperson becomes a separate controller of the information we shared with them, and their own handling of your data is governed by their own privacy practices and by UK data protection law. You can ask us at any time to tell you which tradesperson we shared your details with.

What happens if you do not finish the form

Answers you give before the final submission step are held in your own browser (in sessionStorage) so you can reload the page without losing them. They are not sent to us until you tick the consent box and submit. If you close the browser tab, those answers are discarded by the browser.

Retention

We keep lead submissions for up to 12 months from the date of submission, after which we delete or anonymise them unless there is a specific reason to keep them longer (for example, an ongoing matter with you, a dispute with a tradesperson we matched you to, or a legal obligation to retain certain records). You can ask us to delete a lead earlier at any time using the contact details above. See the retention table later in this page for the quick summary.

Photos you attach

Where you attach photos to a lead (for example, a picture of a leak or a broken tile), we store them in our secure file storage and share them only with the tradesperson we match you to. Please do not include photographs of identifiable third parties, children, number plates, or confidential documents in the background. If you do, we may crop or decline to use the photo.

Your rights over a lead submission

All of the UK GDPR rights we describe further down this page apply to lead submissions, including the right to access a copy of what we hold, the right to correct inaccurate information, the right to erasure, and the right to object to processing. For lead submissions specifically, erasure is usually straightforward — we simply delete the row — unless we need to keep a record to handle a dispute or legal claim involving you or the tradesperson we matched you to, in which case we will tell you and explain why.

Our lawful bases

Under UK GDPR, we rely on a small set of lawful bases appropriate for a content site:

Consent -- when you subscribe to email updates or explicitly opt-in to analytics cookies.
Legitimate interests -- operating a secure website, preventing abuse, measuring what content is useful in a privacy-respecting way, and responding to messages you send us.
Contract -- if we agree to provide something you request directly (e.g., commissioned content).
Legal obligation -- where we must keep certain records or respond to lawful requests.

How long we keep data

We keep data only as long as needed for the purpose collected, then delete or anonymise it.

Contact form & email threads

Retention: Up to 24 months
Notes: Follow up on editorial issues; delete earlier on request.

Server/access logs

Retention: 30-90 days
Notes: Security & reliability; longer temporarily for incident review.

Analytics aggregates

Retention: Up to 26 months
Notes: Trend analysis only; we avoid storing raw IPs.

Newsletter list

Retention: Until you unsubscribe
Notes: Minimal suppression record kept.

User contributions (published)

Retention: As long as published
Notes: Remove or amend on request if appropriate.

Local services leads

Retention: Up to 12 months
Notes: Delete earlier on request, unless we need it for a dispute or legal claim.

Data	Typical retention	Notes
Contact form & email threads	Up to 24 months	So we can follow up on long-running editorial issues; delete earlier on request.
Server/access logs	30-90 days	Security & reliability. Shorter where feasible; longer temporarily for incident review.
Analytics aggregates	Up to 26 months	Trend analysis only; we avoid storing raw IPs where possible.
Newsletter list	Until you unsubscribe	We keep a minimal suppression record so we don't email you again by mistake.
User contributions (published)	As long as published	We'll remove or amend on request if appropriate.
Local services leads	Up to 12 months	We delete or anonymise lead submissions after a year unless we still need them for an ongoing matter, a dispute, or a legal claim. Delete earlier on request.

Journalism, public interest and the special purposes exemption

Saltaire Guide is an independent local publication. A meaningful part of what we do is journalism — researching, fact-checking, and publishing information and opinions about local businesses, services, public institutions, transport, events, and everyday life in Saltaire and Shipley. That includes publishing criticism, reader accounts of experiences with local services, and commentary on matters of public interest.

Where we process personal data for journalistic purposes, we rely on the exemption for the “special purposes” of journalism under Article 85 of the UK GDPR and Schedule 2, Part 5, paragraph 26 of the Data Protection Act 2018. This exemption allows a publisher to process personal data without complying with certain data protection principles and data subject rights where (a) the processing is carried out with a view to the publication of journalistic material, (b) we reasonably believe the publication would be in the public interest, and (c) we reasonably believe that complying with the relevant provision would be incompatible with the journalistic purpose.

In practice this means:

We may decline a request to erase, rectify, restrict, or stop processing personal data where doing so would compromise a story, a reader account, a review, or information we reasonably believe is in the public interest to publish or to keep published. We do not exercise this exemption lightly and we consider each request on its facts.
We may keep research notes, draft material, correspondence with sources, and records of reader submissions for as long as is reasonably necessary to defend our editorial decisions, to support a Defamation Act 2013 section 4 public-interest defence, or to comply with a legal hold.
Where we publish an account, opinion, or review that names an individual or business, we are doing so because we believe the publication is in the public interest. We apply the standards set out in our editorial policy and we will consider a request for correction, clarification, right of reply, or (where appropriate) removal under our corrections policy and the notice-and-takedown process in our terms of use.
Invoking the exemption is not a blanket refusal. You still have the right to lodge a complaint with the ICO about our use of the exemption, and the ICO has specific powers under section 174 of the Data Protection Act 2018 in respect of special- purposes processing.

Nothing in this clause is intended to exclude or limit our obligations under UK data protection law where the exemption does not apply, and nothing in it prevents us from voluntarily honouring a request where we judge that doing so is the right thing to do.

We share personal data only with service providers (“processors”) who help us run the site under a written contract requiring them to protect your data and act on our instructions. We do not sell, rent, or lend personal data to anyone, and we do not run third-party advertising trackers. The processors we currently rely on are:

Processor	What it does for us	Data categories	Region
Vercel, Inc.	Hosting, edge network, build and deployment pipeline	Technical logs, IP, user-agent, request metadata	Global edge; primary data processing outside the UK/EEA under the UK IDTA
Cloudflare, Inc.	DNS, CDN edge caching, DDoS and bot protection	IP, TLS metadata, request headers, security challenge data	Global edge; UK/EEA data handled under SCCs and the UK IDTA
Supabase	Database, authentication (magic-link email sign-in), storage of user-submitted content	Account data, email, hashed tokens, saved listings, submissions	Hosted region with appropriate transfer safeguards; we prefer UK/EEA regions where available
Stripe Payments UK Ltd & Stripe, Inc.	Card processing for featured business listings and any other paid services	Payment data as described in the collection table above	UK/EEA with controlled transfers to the US under Stripe’s SCCs and UK IDTA
Email and newsletter provider (currently Resend, Inc.)	Sends transactional emails, magic links, contact replies and newsletters	Email address, email content, delivery metadata	Transfers to the US under appropriate safeguards
Error monitoring / logging	Captures server-side errors so we can fix bugs without losing them	Error traces, truncated request context	Varies by provider; configured to minimise PII

Where a processor changes, we update this list. If a processor is ever breached in a way that affects your personal data, we will notify the UK Information Commissioner’s Office (ICO) within 72 hours where the breach is likely to result in a risk to the rights and freedoms of natural persons, and we will notify affected individuals without undue delay where the risk is high, as required by Articles 33 and 34 of the UK GDPR.

International transfers

Several of our processors are based in or operate from the United States or other countries outside the UK and EEA. Where personal data is transferred outside the UK, we rely on one or more of the following safeguards:

an adequacy decision by the UK government or the European Commission (where one applies);
the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission’s Standard Contractual Clauses (SCCs);
the UK extension to the EU–US Data Privacy Framework where the processor is certified;
our own assessment of the transfer, including technical and organisational measures, in line with the ICO’s guidance.

We can give you more information about the specific safeguard applied to a particular transfer on request.

Legal and law-enforcement disclosures

We will disclose personal data to a court, regulator, or law-enforcement agency only when we are legally required to do so, where it is necessary to establish, exercise or defend legal claims, or where the disclosure is covered by a specific statutory exemption (for example, sections 15 and 19 of, and Schedules 2 and 11 to, the Data Protection Act 2018). Where lawful, we will notify the affected individual.

Cookies & analytics

We aim to run with light, privacy-respecting analytics and essential cookies only. If we introduce optional analytics or preferences cookies, you'll see a clear choice.

Cookie categories

Strictly necessary -- security, load balancing, basic site functions. Always on.
Functional -- saves simple preferences (e.g., text size). Optional.
Analytics -- aggregated usage to improve content. Optional where consent is required.

Your choices

You can block or delete cookies via your browser settings. If we add an on-site cookie control, you'll find it linked from this page and the footer.

We don't use cross-site advertising trackers.

Security & international transfers

We use reputable providers with modern security practices (HTTPS, encryption in transit, access controls). Data may be processed outside the UK/EEA where providers operate; where that happens, appropriate safeguards (such as UK IDTA/EU SCCs) are used.

Your rights under UK data protection law

Under the UK GDPR and the Data Protection Act 2018 you have the following rights in respect of the personal data we hold about you. We will respond to a valid request within one calendar month of receipt. Where a request is complex or we have received a number of requests from you, we may extend that period by up to two further months and will tell you why within the first month, in line with Article 12(3) of the UK GDPR.

Right of access — a copy of the personal data we hold about you, and supporting information about how we use it (Article 15).
Right to rectification — correcting inaccurate data and completing incomplete data (Article 16).
Right to erasure — the “right to be forgotten”, subject to the journalism and public-interest exemptions discussed above (Article 17).
Right to restriction — pausing certain processing while a dispute is resolved (Article 18).
Right to object — in particular to processing based on legitimate interests, and an absolute right to object to direct marketing (Article 21).
Right to data portability — a copy of data you provided to us, in a structured, commonly used, machine-readable format (Article 20).
Right to withdraw consent — where we rely on consent, you can withdraw it at any time; withdrawal does not affect the lawfulness of processing already carried out (Article 7(3)).
Rights in relation to automated decision-making and profiling — see below (Article 22).

To exercise any of these rights, email hello@saltaireguide.uk with “Privacy: request” in the subject line. Tell us which right you want to exercise and give us enough information to locate the data. We may need to verify your identity before responding — usually by confirming that you control the email address associated with the account or submission — to prevent impersonation and unauthorised disclosure. Identity verification is not a delay tactic; it is a safeguard required by Article 12(6) of the UK GDPR.

If we process personal data in reliance on the journalism exemption at Article 85 of the UK GDPR and Schedule 2, Part 5 of the Data Protection Act 2018, some of the rights above may be modified or not apply. We explain our reasoning if that is the case and you retain the right to complain to the ICO.

Right to complain to the ICO

If you believe we have not handled your personal data correctly, we would prefer to try to sort it out with you first — please contact us. You also have the right at any time to lodge a complaint with the UK Information Commissioner’s Office:

Website: ico.org.uk/make-a-complaint
Helpline: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Automated decision-making and profiling

We do not make decisions about you that produce legal or similarly significant effects solely by automated means. We do not engage in profiling within the meaning of Article 22 of the UK GDPR. Where we use simple technical rules (for example, basic rate-limiting or abuse filters on submission forms), a human can review any outcome on request.

Direct marketing and electronic communications

We send direct marketing only where we have your consent or where the “soft opt-in” at regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) applies. You can opt out at any time using the unsubscribe link in any email, or by contacting us. We will keep a minimal suppression record (email hash only) to make sure we do not email you again after you have unsubscribed.

Children

Our site is aimed at a general audience of adult residents and visitors. We do not target children with our content, products, or marketing, and we do not knowingly collect personal data from children under the age of 13.

We recognise that a local guide to Saltaire and Shipley may be read by families and young people, and that the Age Appropriate Design Code (the ICO’s Children’s Code) may therefore apply to certain features of the site. Where that is the case, we aim to apply its principles on a proportionate basis — including using privacy-friendly defaults, minimising data collection, not profiling children, and providing information in language appropriate for the audience.

You must be at least 13 years old to create a user account or to submit content. Users between 13 and 18 confirm, when they submit content or sign up, that a parent or guardian has reviewed these terms and our terms of use on their behalf. If you believe a child has provided us with personal data without the appropriate consent, contact us and we will delete it promptly.

Changes & how to contact us

We'll update this policy when our practices change. Significant changes will be highlighted on this page with a new review date.

Contact

Email: hello@saltaireguide.uk

For faster handling, include "Privacy" in the subject and tell us what right you wish to exercise.

Who we are

What data we collect (and why)

Contact details (you provide)

Technical logs (automatic)

Analytics (aggregated)

Email newsletter (optional)

User contributions

Local services lead submissions

Special category data

Local services lead submissions (the consult form)

What we collect at submission

Lawful basis

Who we pass your details to

What happens if you do not finish the form

Retention

Photos you attach

Your rights over a lead submission

Our lawful bases

How long we keep data

Contact form & email threads

Server/access logs

Analytics aggregates

Newsletter list

User contributions (published)

Local services leads

Journalism, public interest and the special purposes exemption

Who we share data with (processors)

International transfers

Legal and law-enforcement disclosures

Cookies & analytics

Security & international transfers

Your rights under UK data protection law

Right to complain to the ICO

Automated decision-making and profiling

Direct marketing and electronic communications

Children

Changes & how to contact us