Privacy Policy

Last updated: 07 June 2026

MB Planning Alerts ("we", "us", "our") operates planningalerts.org.uk. This policy explains how we collect, use, and safeguard your personal data in accordance with the UK GDPR and the Data Protection Act 2018.

1. Who we are

MB Planning Alerts is operated in the United Kingdom. Our data protection contact is [email protected].

2. Data we collect and why

Account data

• Email address — collected when you create an account. Used to send magic-link login emails and planning application alerts. Legal basis: contract performance.
• Saved locations (postcode, optional label, radius) — used to match planning applications for your alerts. Legal basis: contract performance.
• Alert preferences (instant / daily digest) — used to control how often you receive emails. Legal basis: contract performance.
• Subscription data (Stripe customer ID, plan, billing period) — stored to manage paid Homeowner tier access. Legal basis: contract performance. Stripe processes payment card data under their own privacy policy; we do not store card details.

Technical data

• Login rate-limit records — IP address and email hashed per login attempt, retained for 24 hours. Legal basis: legitimate interest (fraud prevention).
• Server logs — standard web-server access logs (IP, user-agent, path). Retained for 30 days. Legal basis: legitimate interest (security, debugging).
• Session cookies — a single HTTP-only, Secure, SameSite=Lax session cookie used to maintain login state. No tracking or advertising cookies are set.

Planning application data

We index publicly available planning application records from UK local planning authority websites and the MHCLG planning data API. This data may include applicant names and addresses as submitted to public registers. We do not add any personal data beyond what is on the public register.

3. Who we share data with

• Stripe — for payment processing (Homeowner tier). Subject to Stripe's privacy policy.
• Migadu — email delivery provider (SMTP). Used to send magic-link and alert emails.
• Hetzner — server hosting. Infrastructure provider; data is processed in the EU.

We do not sell personal data. We do not share personal data with advertisers.

4. Your rights

Under the UK GDPR you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request erasure ("right to be forgotten")
• Object to or restrict processing
• Data portability
• Withdraw consent where processing is based on consent

To exercise any right, email [email protected]. We will respond within 30 days.

You may also delete your account at any time via Account Settings → Delete Account. This hard-deletes your user row and anonymises your alert history within 30 days.

5. Retention

• Account data — retained until you delete your account, then hard-deleted within 30 days.
• Alert logs — anonymised on account deletion; aggregate stats retained indefinitely.
• Login tokens — deleted within 15 minutes of creation or on first use, whichever is sooner.
• Webhook events — pruned after 30 days.
• Login rate-limit records — pruned after 24 hours.

6. Cookies

We use one session cookie (HTTP-only, Secure, SameSite=Lax) to maintain your login state. No third-party cookies, no tracking pixels, no analytics scripts.

7. Changes to this policy

We will post any material changes on this page and update the "Last updated" date. Continued use of the service after changes constitutes acceptance.

8. Contact

Privacy enquiries: [email protected]

General contact: Contact page