This policy explains what personal data OneGoodArea collects, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
OneGoodArea is operated as a sole trader based in the United Kingdom. For data protection enquiries, contact us at operation@onegoodarea.co.uk.
We collect the following categories of personal data:
Account information. Name, email address, and hashed password (for email/password accounts). For OAuth users, we receive your name, email, and profile image from the provider.
API usage history. The endpoints you call, the postcodes and area codes you query, the request counts, and the timestamps of each request. Stored against your account and used for billing and usage analytics.
Usage analytics. Page views, feature usage events, and dashboard interactions. Tracked internally for product improvement and associated with your account.
Payment information. Billing details are collected and processed by Stripe. We do not store your card number, CVC, or full payment details. We retain your Stripe customer ID and subscription status.
API keys. Every account can generate API keys (Sandbox included). We store the key fingerprint plus a hashed form of the secret; the raw secret is shown to you once at generation and never persisted in plaintext.
Email verification tokens. Temporary tokens generated during account verification, stored until used or expired (24-hour window).
We process your personal data for the following purposes:
Service delivery. To authenticate you, execute API requests, track your usage against plan limits, and maintain your audit trail. Legal basis: performance of a contract.
Payment processing. To manage subscriptions, process payments, and handle billing queries through Stripe. Legal basis: performance of a contract.
Product improvement. To understand how the Service is used, identify issues, and improve features. Legal basis: legitimate interest.
Communication. To send account-related emails, including verification, password resets, and material changes to the Service or terms. Legal basis: performance of a contract and legitimate interest.
We do not sell your personal data to third parties. We do not use your data for advertising or profiling.
We share data with the following third-party processors, each acting under data processing agreements:
Police.uk, the IMD 2025 / WIMD 2019 / SIMD 2020 deprivation datasets, HM Land Registry, Ofsted, Companies House, OpenStreetMap, the Environment Agency, the ONS National Statistics Postcode Lookup, and Postcodes.io are queried server-side using only postcode or area-code data. No personal information is sent to these government or open data sources.
Account data is retained for as long as your account is active. If you request account deletion we will erase your personal data within 30 days, except where retention is required by law (for example, financial records for tax purposes are retained for up to 7 years).
API usage data is retained with your account for as long as the account is active, then deleted with the account.
Email verification tokens expire and are deleted after 24 hours.
Payment recordsin Stripe are retained in accordance with Stripe's data retention policies and UK financial regulations.
Under the UK General Data Protection Regulation, you have the following rights:
Right of access. You can request a copy of all personal data we hold about you.
Right to rectification. You can ask us to correct inaccurate or incomplete data.
Right to erasure. You can request deletion of your personal data. We will comply within 30 days, subject to legal retention obligations.
Right to data portability. You can request your data in a structured, machine-readable format (JSON).
Right to restrict processing. You can ask us to limit how we use your data in certain circumstances.
Right to object. You can object to processing based on legitimate interest. We will stop unless we have compelling grounds to continue.
To exercise any of these rights, email operation@onegoodarea.co.ukwith the subject "Data Request". We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
We implement appropriate technical and organisational measures to protect your personal data, including: encrypted connections (HTTPS) for all traffic, hashed passwords using the Web Crypto API, encrypted database connections to Neon Postgres, fingerprint + salted-hash storage for API keys (raw secret shown once and never persisted), and environment-variable-based secret management on Vercel and Render.
While we take reasonable precautions, no method of transmission over the internet or electronic storage is 100 percent secure. We cannot guarantee absolute security.
Some of our third-party processors (Vercel, Stripe, Anthropic) may process data outside the UK. Where this occurs we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms approved under UK data protection law.
OneGoodArea is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a user is under 16 we will delete their account and associated data promptly.
We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email. The "Last updated" date at the top of this page indicates the most recent revision.
For any privacy-related questions or data requests, contact us at operation@onegoodarea.co.uk.
See also our Terms of Service for the full terms governing use of the platform.
We read everything that lands at operation@onegoodarea.co.uk and we usually reply within one business day.