Skip to main content
RestoreTrade Restore Trade

Privacy Policy

Last updated: 25 April 2026

1. Who we are

RestoreTrade is a free verified business directory operated by Mycelium Consulting Ltd, a company registered in England and Wales. For UK GDPR purposes Mycelium Consulting Ltd is the data controller. Contact for all data matters: privacy@restoretrade.co.uk.

Our ICO data-controller registration is in progress (Phase 0c.8). The registration number will be added here once issued.

2. What data we collect

When you sign in (magic-link authentication):

  • Your email address and the timestamp of each sign-in
  • A session cookie (HttpOnly, Secure, SameSite=Lax)

When you submit a business listing via /submit:

  • Business name, postcode, town, county, category, description
  • Contact details you choose to publish (phone, email, website)
  • Companies House number (if applicable — used to cross-reference)
  • The link between the submission and your authenticated user ID

When you claim a listing via /claim/[slug]:

  • The evidence you supply (Companies House director match, email-domain proof, or manual review information)
  • The link between the claim and your authenticated user ID

When you leave a review:

  • The display name you provide and the review body / star rating
  • The link between the review and your authenticated user ID (used for moderation and rate-limiting)

When you visit any page:

  • Anonymous Plausible Analytics page-view counts (no cookies, no personal data, no IP retention beyond aggregate)
  • Server-side error reports via Sentry (request URL + browser type, no body content, EU region ingest)

We do not collect data about political affiliation, religious beliefs, ethnicity, health, or any other special category data under UK GDPR Article 9.

3. How we use your data

  • To display your business listing in the directory (only after you've submitted it)
  • To verify your business identity (Companies House cross-reference)
  • To authenticate you on return visits via magic-link email
  • To moderate reviews and submissions for accuracy and abuse
  • To compute aggregate statistics (county counts, category averages — no individual identification)
  • To diagnose errors and uptime issues (Sentry + Better Stack monitoring)

4. Legal basis for processing (UK GDPR Article 6)

  • Consent (Art. 6(1)(a)) — when you actively submit a listing, claim, or review.
  • Contract (Art. 6(1)(b)) — when you create an account to manage your own listings.
  • Legitimate interest (Art. 6(1)(f)) — operating a verified business directory, fraud prevention, security monitoring. Balanced against your rights — see Section 7.

5. Data sharing and third parties

Your business listing information (name, category, location, public contact details) is publicly displayed and crawled by search engines and AI services (see AI policy).

We do not sell your data. We share specific data only with the processors below, who act on our written instructions:

  • Supabase (eu-west-2, London) — primary data store, PostgreSQL with row-level security
  • Netlify — hosting and edge function execution
  • AWS SES (eu-west-1, Ireland) — transactional email (magic links, notifications)
  • Plausible Analytics (self-hosted, EU) — anonymous page-view counts
  • Sentry (EU region) — error reporting; EU data residency
  • Better Stack (EU region) — uptime monitoring
  • Companies House API (UK government) — public-record cross-reference (no personal data sent; we send their company numbers and they return their public data)

6. Data retention

  • Active listings — retained while published
  • Authentication records — auth.users row retained until account deletion
  • Reviews — retained while the underlying business listing exists; anonymised on user deletion (see Section 8)
  • Moderation queue / rejected submissions — retained for 12 months for abuse-pattern detection
  • Audit log — retained for 24 months for security review
  • Sentry error events — 30 days (Sentry default)
  • Plausible analytics — aggregated forever, no individual sessions

7. Your rights under UK GDPR

You have the right to:

  • Access a copy of your personal data (Article 15)
  • Rectification of inaccurate data (Article 16)
  • Erasure ("right to be forgotten", Article 17)
  • Restriction of processing (Article 18)
  • Data portability (Article 20)
  • Object to processing on legitimate-interest grounds (Article 21)
  • Withdraw consent at any time (Article 7(3))
  • Lodge a complaint with the ICO (ico.org.uk)

Self-service tools for these rights are documented at /data-subject-rights/.

8. Account deletion + anonymisation

When you delete your account via /api/gdpr/delete.json:

  • Your auth.users record is permanently deleted
  • Your business claims (the link between you and a claimed listing) are cascaded
  • Your reviews remain on the directory but are anonymised — your name becomes "Anonymous (deletion request)" and the user-ID link is severed
  • Your business listings (if you owned any as primary_owner) remain published but the owner link is severed
  • Audit-log entries for security-relevant actions are retained per Section 6

9. Cookies

We set one category of cookie: a session cookie when you sign in (HttpOnly, Secure, SameSite=Lax). It is essential for authentication and is exempt from PECR consent under the strictly-necessary exception. We do not set any tracking, marketing, or third-party analytics cookies.

10. International transfers

All primary data (Supabase, Sentry, Plausible, Better Stack) is stored within the EU/UK jurisdiction. AWS SES traffic for transactional email transits the EU region. We do not transfer personal data outside the UK or EEA.

11. Changes to this policy

We may update this policy. The "Last updated" date at the top of this page reflects the most recent revision. Material changes that affect your rights will be notified to authenticated users via email at the address on file.

12. Contact

Privacy queries: privacy@restoretrade.co.uk.
Listing removal: remove@restoretrade.co.uk.
General: hello@restoretrade.co.uk.