On this page
The plain-English version
- We only collect the data we actually need to run GotAPal.
- We never sell your personal data — full stop.
- You can export, correct or delete your account at any time from Settings.
- UK GDPR applies. The ICO is our supervisory authority.
This summary is for clarity — the full sections below are what legally apply.
Who we are
GotAPal is operated by Towpath Digital Ltd (Company No. 16913912), a company registered in England & Wales and based in Cambridgeshire, United Kingdom.
For the purposes of UK GDPR and the Data Protection Act 2018, Towpath Digital Ltd is the data controller for personal data processed through GotAPal. You can reach us about anything privacy-related at privacy@gotapal.com.
What we collect
We try to keep this list short. The data we hold falls into two buckets:
You give us
- Account details (name, email, password)
- Profile information (bio, location, avatar, trade categories)
- Content you create (reviews, vouches, requests, photos)
- Messages you send through the platform or to support
- Verification info if you claim a business listing
We collect automatically
- Device and browser info (type, OS, screen size)
- Approximate IP-based location (city/region, never street level)
- Pages visited and actions taken (analytics events)
- Cookies — see our Cookie Policy
- Crash and performance logs (90 days)
Why we collect it (lawful basis)
Under UK GDPR, every piece of data we process needs a lawful basis. Here's the breakdown:
| Data | Purpose | Lawful basis |
|---|---|---|
| Account details | Provide and secure your account | Contract |
| Profile & listings | Show you on the directory you signed up to be on | Contract |
| Reviews, vouches, requests | Power the marketplace and keep it honest | Contract / Legitimate interest |
| Analytics & crash logs | Improve the product, fix bugs, prevent abuse | Legitimate interest |
| Marketing emails | Send you tips, product updates, weekly digest | Consent |
| Records for tax/audit | Meet our legal and accounting obligations | Legal obligation |
How long we keep it
We don't keep data forever just because we can. Defaults:
| Data | Retention period |
|---|---|
| Active account data | Until you delete your account |
| Deleted account data | 30 days, then permanently erased |
| Published reviews & vouches | Indefinite while the listing exists (anonymised on account deletion) |
| Support emails | 24 months from last contact |
| Server & access logs | 90 days |
| Marketing preferences | Until you unsubscribe |
| Tax / financial records | 7 years (HMRC requirement) |
International transfers
Some of our sub-processors are based outside the UK. Where data is transferred internationally, we rely on appropriate safeguards under UK GDPR — typically the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision. You can request a copy of the safeguards in place for any specific transfer by emailing privacy@gotapal.com.
Your rights under UK GDPR
You have the right to:
- Access — get a copy of the personal data we hold about you.
- Rectification — correct anything that's inaccurate or incomplete.
- Erasure — ask us to delete your account and personal data.
- Restriction — limit how we process your data in certain situations.
- Portability — receive your data in a portable, machine-readable format.
- Objection — object to processing based on legitimate interests, including profiling.
- Withdraw consent — for anything you previously consented to (e.g. marketing).
Children
GotAPal is not intended for anyone under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has signed up, please contact us and we will delete the account.
How we keep your data safe
We take security seriously. Our standard controls include:
- HTTPS / TLS 1.2+ in transit, AES-256 encryption at rest
- Row-level security on every database table holding user data
- Industry-standard password hashing (bcrypt) — we never see your password
- Audit logging on sensitive admin actions
- Principle of least privilege for staff and sub-processors
- Regular dependency scanning and security reviews
No system is 100% secure. If we ever experience a personal data breach that's likely to result in a risk to your rights and freedoms, we'll notify the ICO within 72 hours and let you know directly where required.
Changes to this policy
We update this policy from time to time. When we make material changes, we'll email registered users and post a prominent notice on the site at least 14 days before the changes take effect. The "Last updated" date at the top tells you when the current version was published.
How to complain
If you're unhappy with how we've handled your personal data, please tell us first — email privacy@gotapal.com and we'll do our best to put it right.
You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113 · ico.org.uk