Privacy Policy
This policy explains what personal data AreaIQ collects, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Last updated: 10 March 2026
1. Data Controller
AreaIQ is operated as a sole trader based in the United Kingdom. For data protection enquiries, contact us at hello@area-iq.co.uk.
2. What Data We Collect
We collect the following categories of personal data:
Account information. Name, email address, and hashed password (for email/password accounts). For Google OAuth users, we receive your name, email, and profile image from Google.
Report history. The postcodes and intents you search, the reports generated, and the timestamps of each request. This is stored against your user account.
Usage analytics. Page views, feature usage events, and report generation counts. These are tracked internally for product improvement and are associated with your account.
Payment information. Billing details are collected and processed by Stripe. We do not store your card number, CVC, or full payment details. We retain your Stripe customer ID and subscription status.
API keys. If you are on the Business plan, we store hashed API keys associated with your account.
Email verification tokens. Temporary tokens generated during account verification, stored until used or expired.
3. How We Use Your Data
We process your personal data for the following purposes:
Service delivery. To authenticate you, generate area reports, track your usage against plan limits, and maintain your report history. Legal basis: performance of a contract.
Payment processing. To manage subscriptions, process payments, and handle billing queries through Stripe. Legal basis: performance of a contract.
Product improvement. To understand how the Service is used, identify issues, and improve features. Legal basis: legitimate interest.
Communication. To send account-related emails, including verification, password resets, and material changes to the Service or terms. Legal basis: performance of a contract and legitimate interest.
We do not sell your personal data to third parties. We do not use your data for advertising or profiling.
4. Third-Party Services
We share data with the following third-party processors, each acting under data processing agreements:
Postcodes.io, Police.uk, the IMD 2025 dataset, OpenStreetMap, and the Environment Agency API are queried server-side using only postcode or coordinate data. No personal information is sent to these government data sources.
5. Cookies and Session Data
AreaIQ uses a single session cookie managed by NextAuth.js. This cookie is essential for authentication and does not track you across other websites. It contains a signed JWT token with your user ID and session expiry.
We do not use third-party tracking cookies, advertising pixels, or analytics services such as Google Analytics. All usage tracking is first-party and internal.
6. Data Retention
Account data is retained for as long as your account is active. If you request account deletion, we will erase your personal data within 30 days, except where retention is required by law (for example, financial records for tax purposes, which are retained for up to 7 years).
Report data is retained with your account. Shared report URLs remain accessible unless the associated account is deleted.
Email verification tokens expire and are deleted after 24 hours.
Payment records in Stripe are retained in accordance with Stripe's data retention policies and UK financial regulations.
7. Your Rights Under UK GDPR
Under the UK General Data Protection Regulation, you have the following rights:
Right of access. You can request a copy of all personal data we hold about you.
Right to rectification. You can ask us to correct inaccurate or incomplete data.
Right to erasure. You can request deletion of your personal data. We will comply within 30 days, subject to legal retention obligations.
Right to data portability. You can request your data in a structured, machine-readable format (JSON).
Right to restrict processing. You can ask us to limit how we use your data in certain circumstances.
Right to object. You can object to processing based on legitimate interest. We will stop unless we have compelling grounds to continue.
To exercise any of these rights, email hello@area-iq.co.uk with the subject line "Data Request". We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including: encrypted connections (HTTPS) for all traffic, hashed passwords using Web Crypto API, encrypted database connections to Neon Postgres, hashed API keys, and environment-variable-based secret management on Vercel.
While we take reasonable precautions, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
9. International Data Transfers
Some of our third-party processors (Vercel, Stripe, Anthropic) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms approved under UK data protection law.
10. Children's Privacy
AreaIQ is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a user is under 16, we will delete their account and associated data promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email. The "Last updated" date at the top of this page indicates the most recent revision.
12. Contact
For any privacy-related questions or data requests, contact us at hello@area-iq.co.uk.
See also our Terms of Service for the full terms governing use of the platform.