Privacy Policy

How we handle your data.

Last updated: 28 April 2026

1. Who we are (the data controller)

The data controller for personal data processed in connection with the GeoData service is:

Leading Logic Ltd (company number 16977705)
Level One, Basecamp, 49 Jamaica Street
Liverpool, Merseyside, L1 0AH
United Kingdom
Privacy contact: privacy@leadinglogic.ai

We have not appointed a statutory Data Protection Officer because we are not required to under UK GDPR Article 37. Privacy and data-protection enquiries are handled by the email address above.

2. Information we collect

When you create an account we collect your name and email address. When you use the API we log request metadata (timestamps, endpoints accessed, postcode queries, response status, source IP) for rate limiting, billing, and fraud prevention. When you subscribe to a paid plan we collect billing details via Stripe (we never see or store full card numbers).

We do not collect or store personal data about the postcodes you query — postcode lookups return aggregate, official data (census, crime, deprivation, etc.) about geographic areas, not individuals.

3. Lawful basis for processing (UK GDPR)

For each category of processing we rely on one of the following lawful bases under UK GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)) — providing the API service to paying customers, account management, processing payments and invoices.
  • Legitimate interests (Art. 6(1)(f)) — rate limiting, security monitoring, fraud detection, abuse prevention, internal analytics on aggregate API usage, and direct correspondence with users about service issues. We balance these interests against your rights and only rely on this basis where a reasonable user would expect the processing.
  • Consent (Art. 6(1)(a)) — only where we ask you explicitly (e.g. opting in to a newsletter — currently we do not run one).
  • Legal obligation (Art. 6(1)(c)) — retaining accounting / VAT records for the periods required by HMRC.

4. How we use your information

We use your information to provide and improve the service, manage your account, enforce rate limits, process payments, and communicate service updates. We do not sell or rent your personal information to third parties, and we do not use it for advertising.

5. Cookies and similar technologies

We do not use third-party advertising or analytics cookies. We do not embed Google Analytics, Hotjar, or similar trackers.

We use a small number of strictly necessary browser-storage items, all set on the GeoData domain only:

  • idToken / accessToken / refreshToken in localStorage — AWS Cognito sign-in tokens that keep you logged in.
  • demo_session_id in localStorage — random UUID used to rate-limit anonymous demo lookups on the public tools.

The Stripe Checkout and Customer Portal pages, which run on Stripe-owned domains, set their own cookies as documented in Stripe's cookies policy. These are required to process payments and prevent fraud.

6. Data storage and security

Personal data and API logs are stored on AWS infrastructure in the EU (London region, eu-west-2). Data is encrypted at rest (AWS-managed keys) and in transit (TLS 1.2+). Account authentication is handled by AWS Cognito.

7. International transfers

Day-to-day processing happens within the United Kingdom and the European Economic Area:

  • AWS — primary processing in the eu-west-2 (London) region. AWS may process limited operational metadata in other regions; we rely on the UK adequacy decision and AWS's signed UK / EU Standard Contractual Clauses.
  • Stripe — payment processing involves transfers to Stripe entities in the United States and Ireland. These transfers are made under Standard Contractual Clauses and the UK International Data Transfer Addendum, as documented in Stripe's privacy notices.

We do not transfer personal data to any other third country.

8. Third-party processors

We rely on a small set of sub-processors:

  • Amazon Web Services (AWS) — hosting, storage, authentication, email delivery.
  • Stripe — payments, billing, invoicing, dunning, hosted customer portal. See Stripe's privacy policy.

9. Data retention

We keep personal data only as long as we need it for the purposes set out in this policy or to meet legal obligations:

  • Account data (name, email, tier, API keys) — for the lifetime of your account, then deleted within 30 days of account closure (excluding legal-hold).
  • API rate-limit counters — auto-expired by DynamoDB TTL on a rolling basis (hours to one billing cycle).
  • API access logs — short-term, used for billing reconciliation and abuse investigation, then expired.
  • Billing records and invoices — retained for the period required by HMRC (currently 6 years from the end of the relevant accounting period).

10. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data ("right to be forgotten") subject to legal-retention obligations.
  • Restrict or object to processing.
  • Receive your data in a portable format.
  • Withdraw consent where consent is the basis for processing.
  • Lodge a complaint with the Information Commissioner's Office at ico.org.uk.

You can manage profile information and revoke API keys from your account settings, or contact us at privacy@leadinglogic.ai to exercise any of the rights above.

11. Children

GeoData is a B2B developer service and is not directed at children. We do not knowingly collect personal data from anyone under 16.

12. Changes to this policy

We may update this Privacy Policy from time to time. The "last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated to active customers by email.

13. Contact

For privacy-related enquiries, please contact us at privacy@leadinglogic.ai, or write to Leading Logic Ltd at the registered address above.