Privacy Policy
Last updated: 17 April 2026
1. Who we are
PresenceScan AI ("we", "us", "our") is operated by Urbandog Media, the data controller for the personal data processed through this platform.
Privacy contact: privacy@presencescanai.com · General contact: info@presencescanai.com.
We are not legally required to appoint a Data Protection Officer (Art. 37 UK GDPR), but the privacy contact above acts as our single point of accountability for data matters.
2. Who can use the service
PresenceScan AI is intended for business users aged 18 or over. We do not knowingly collect personal data from anyone under 18. If you believe a child has created an account, please email us and we will delete it promptly.
3. What we collect
- Account data: email, display name, password hash (managed by our auth provider).
- Scan data: business name, industry, location, keywords you submit and the results we generate.
- Purchase data: Stripe transaction reference, tier, amount, currency. Card details are handled by Stripe — we never see or store them.
- Usage data: analytics events (page views, scan starts, button clicks) — only with your consent and respecting your account-level opt-out.
- Consent log: append-only record of every consent action you take, with timestamp, IP and user agent. Retained as legal evidence (Art. 7).
- Support data: the contents of any enquiry or email you send us.
4. Lawful basis (UK & EU GDPR Art. 6)
- Contract: to deliver the scan, store your reports, and provide your account.
- Legitimate interest: to keep the service secure, prevent fraud, and improve the product.
- Consent: for optional analytics, marketing emails, and non-essential cookies. Withdraw any time from the dashboard.
- Legal obligation: to keep transaction records for tax and accounting.
5. How long we keep it (data retention)
We delete data automatically when no longer needed. Specific retention windows:
| Category | Retention | Why |
|---|---|---|
| Account & profile | Until deletion + 30 days in encrypted backups | Service delivery |
| Scans | 24 months, then auto-deleted | User access; quality improvement |
| Analytics events | 12 months, then auto-deleted | Product improvement |
| Purchase records | 7 years | UK statutory financial retention |
| Consent log | Indefinite | Legal evidence (Art. 7) |
| Email suppression list | Indefinite | To honour your opt-out |
| Rate-limit logs | 24 hours | Abuse prevention |
6. Subprocessors
The following processors handle personal data on our behalf. All are bound by a Data Processing Agreement (DPA):
| Processor | Purpose | Region | DPA |
|---|---|---|---|
| Supabase | Database, authentication, file storage | EU | link |
| Cloudflare | Hosting, edge runtime, DDoS protection | Global edge | link |
| Stripe | Payment processing | EU/US (SCCs) | link |
| Resend | Transactional email delivery | EU/US (SCCs) | link |
| Firecrawl | Public web data extraction during scans | US (SCCs) | link |
| Google Gemini & OpenAI | AI analysis of public scan data — no personal account data is sent | US (SCCs) | link |
7. International transfers
Where data leaves the UK/EEA (e.g. Stripe US, AI providers), we rely on the UK International Data Transfer Addendum and EU Standard Contractual Clauses to ensure equivalent protection. We do not sell personal data.
8. Your rights
Under UK & EU GDPR you have the right to:
- Access your data (Art. 15) — download anytime from the dashboard.
- Rectify inaccurate data (Art. 16) — edit your profile from the dashboard.
- Erase your account and data (Art. 17) — delete anytime from the dashboard.
- Restrict or object to processing (Art. 18 & 21) — pause analytics from the dashboard.
- Data portability (Art. 20) — JSON or CSV export from the dashboard.
- Withdraw consent at any time without affecting prior lawful processing (Art. 7(3)).
- Lodge a complaint with the ICO (UK) or your local supervisory authority (EU).
To exercise any of these, use the in-app controls or email privacy@presencescanai.com — we respond within 30 days.
9. Security
We protect your data with row-level security policies (you can only access your own data), encrypted transport (HTTPS/TLS 1.2+), encrypted backups, hashed passwords, leaked-password checks against the Have I Been Pwned database, rate limiting, and least-privilege admin access. We maintain a documented breach-response runbook and will notify the ICO within 72 hours of becoming aware of a reportable breach (Art. 33), and affected users without undue delay where required (Art. 34).
10. Cookies
See our Cookie Policy for our granular consent options (necessary / analytics / marketing) and to change your preferences.
11. Changes
We will notify you in-app (via a blocking consent banner) of any material change and re-prompt for acceptance. Minor clarifications will be posted here with an updated date.