Privacy Policy

Last Updated: February 2026

Surrey Sentinel is committed to protecting your privacy and handling your data in compliance with UK GDPR and the Data Protection Act 2018.

This Privacy Policy explains what personal data we collect, how we use it, and your rights under UK data protection law.

1. Who We Are

Surrey Sentinel is a review management platform for hospitality businesses. We help business owners manage and respond to online reviews from Google, TripAdvisor, and other platforms.

Data Controller: Surrey Sentinel (sole trader) Contact: hello@surreysentinel.co.uk

2. What Data We Collect

We collect and process the following personal data:

2.1 Account Information

Email address (required for account creation and communication)

Name (if you sign up via Google OAuth)

Profile picture (if you sign up via Google OAuth)

2.2 Payment Information

Payment card details (processed and stored by Stripe, not by us)

Billing address (stored by Stripe)

Stripe Customer ID (stored in our database to link your account to your subscription)

2.3 Business Information

Business name (your hotel, restaurant, or business name)

Business location (Google Place ID, address, phone number)

Review data (public reviews from Google, TripAdvisor - this is publicly available data)

2.4 Usage Data

Analytics (via PostHog - only if you consent to analytics cookies)

Error logs (to diagnose technical issues)

Session data (to keep you logged in)

3. How We Use Your Data

We use your personal data for the following purposes:

3.1 Service Provision (Legal Basis: Contract)

Creating and managing your account

Processing your subscription payments via Stripe

Displaying your reviews and generating AI reply drafts

Sending service emails (welcome, payment receipts, payment failures)

3.2 Communication (Legal Basis: Legitimate Interest)

Responding to your support requests

Sending important service updates (e.g., terms changes)

3.3 Analytics and Improvement (Legal Basis: Consent)

Understanding how users interact with Surrey Sentinel (via PostHog)

Identifying bugs and performance issues

Note: Analytics tracking only occurs if you accept analytics cookies

4. Third-Party Services

We share data with the following third-party services to provide our service:

4.1 Stripe (Payment Processing)

Data shared: Email, name, payment card details, billing address

Purpose: Process subscription payments, manage billing

Privacy Policy: https://stripe.com/gb/privacy

Location: Data processed in EU/UK regions

4.2 Google OAuth (Authentication)

Data shared: Email, name, profile picture

Purpose: Allow you to sign in with your Google account

Privacy Policy: https://policies.google.com/privacy

Location: Data processed globally by Google

4.3 PostHog (Analytics - Consent Required)

Data shared: Usage events, page views, session replays (if consent given)

Purpose: Understand user behavior to improve the service

Privacy Policy: https://posthog.com/privacy

Location: Data processed in EU region (PostHog EU Cloud)

4.4 Baserow (Database)

Data shared: Business information, review data, reply drafts

Purpose: Store and manage your review data

Privacy Policy: https://baserow.io/privacy

Location: Self-hosted on Hetzner (Germany)

4.5 Apify (Review Scraping)

Data shared: Google Place ID (public identifier)

Purpose: Fetch public reviews from Google and TripAdvisor

Privacy Policy: https://apify.com/privacy-policy

Location: Data processed globally

4.6 Hetzner (Infrastructure)

Data shared: All application data (encrypted at rest)

Purpose: Host Surrey Sentinel servers

Privacy Policy: https://www.hetzner.com/legal/privacy-policy

Location: Germany (EU)

5. Data Retention

Active subscriptions: We retain your data while your subscription is active

Cancelled subscriptions: We delete your account data 30 days after cancellation

Payment records: Retained for 7 years to comply with UK tax law (HMRC requirements)

Review data: Deleted 30 days after cancellation (reviews are public data, not personal data)

6. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

6.1 Right of Access

Request a copy of all personal data we hold about you.

6.2 Right to Rectification

Correct any inaccurate or incomplete personal data.

6.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data (subject to legal retention requirements).

6.4 Right to Restriction

Request we stop processing your data (but not delete it).

6.5 Right to Data Portability

Receive your data in a structured, machine-readable format (e.g., CSV, JSON).

6.6 Right to Object

Object to processing based on legitimate interests or direct marketing.

6.7 Right to Withdraw Consent

Withdraw consent for analytics tracking at any time (via cookie settings).

To exercise your rights: Email hello@surreysentinel.co.uk with your request. We will respond within 30 days.

7. Cookies

Surrey Sentinel uses cookies to provide and improve our service.

7.1 Essential Cookies (Always Active)

These cookies are required for the site to function and cannot be disabled:

Session cookie (Auth.js) - Keeps you logged in

Cookie consent preference - Remembers your cookie choice

Stripe session - Securely processes payments

7.2 Analytics Cookies (Requires Consent)

These cookies help us understand how users interact with Surrey Sentinel:

PostHog tracking - Page views, user events, session replays

Purpose: Identify bugs, measure feature usage, improve UX

Duration: 365 days

You can manage cookie preferences via the cookie consent banner or your browser settings.

If you reject analytics cookies, we only collect anonymous page views (no user identification).

For more details, see our Cookie Policy.

8. Data Security

We implement industry-standard security measures to protect your data:

Encryption in transit: All data transmitted over HTTPS/TLS

Encryption at rest: Database encrypted on Hetzner servers

Access controls: Multi-factor authentication for admin accounts

Regular security audits: Penetration testing for multi-tenant isolation

However, no system is 100% secure. If you discover a security vulnerability, please email hello@surreysentinel.co.uk immediately.

9. Children's Privacy

Surrey Sentinel is a business tool and not intended for children under 18. We do not knowingly collect data from children.

If we discover we have collected data from a child under 18, we will delete it immediately.

10. International Data Transfers

Your data is primarily processed within the UK and EU:

Hetzner servers: Germany (EU)

PostHog: EU Cloud region

Stripe: EU/UK regions

Some third-party services (Google, Apify) may process data outside the EU/UK. These transfers are protected by:

Standard Contractual Clauses (SCCs) approved by the UK ICO

Adequacy decisions for certain countries

Privacy Shield frameworks where applicable

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

If we make significant changes (e.g., new data collection or third-party services), we will notify you via email.

Your continued use of Surrey Sentinel after changes indicates acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or how we handle your data:

Email: hello@surreysentinel.co.uk Address: [Company Address - TBD]

13. Complaints to the ICO

If you are unhappy with how we handle your data, you have the right to complain to the UK's data protection authority:

Information Commissioner's Office (ICO) Website: https://ico.org.uk/make-a-complaint/ Phone: 0303 123 1113

---

This Privacy Policy is provided in good faith and complies with UK GDPR requirements. However, legal requirements may change. For specific legal advice, consult a solicitor.