Privacy Policy

Last updated: 23 March 2025

This Privacy Policy explains how Astor Holdings ("we", "us", "our") collects, uses, and protects your personal data when you use Planning Checker. We are committed to being transparent and keeping your data safe. This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable to users in the European Economic Area, the EU General Data Protection Regulation (EU GDPR 2016/679).

1. Who We Are

Astor Holdings
Sydney, Australia
Contact email: [email protected]

We are the data controller for the personal data you provide to us.

We do not have a separate EU representative at this time. EU users may contact us directly at the email address above for all data protection matters.

2. What Data We Collect

We collect the following personal data:

  • Account data: your email address and a hashed version of your password, collected when you register.
  • Property addresses: the UK addresses or postcodes you choose to monitor for planning activity.
  • Usage data: the date and time you accepted our Terms and Conditions, pages you visit, planning applications you view, and actions you take on the platform.
  • Planning activity: we store records of planning applications we find near your monitored addresses so we can send you alerts and avoid duplicate notifications.
  • Email preferences: your choices about which types of emails you receive from us, including any consent you give for use of anonymised data to improve our AI models.
  • IP address: recorded at account creation for security and legal compliance purposes.

We do not collect payment card information (handled directly by Stripe), phone numbers, or any special category data as defined under UK/EU GDPR.

3. How We Use Your Data

We use your data for the following purposes, with the lawful basis noted for each:

  • Providing the service (contract performance, Article 6(1)(b)): to create and manage your account, monitor planning applications near your chosen addresses, and send you email alerts when relevant applications are found.
  • AI-generated digests (legitimate interest, Article 6(1)(f)): we pass public planning application text to an AI API to generate plain-English summaries. We do not send your personal details to the AI provider — only the public planning application data.
  • Legal compliance (legal obligation, Article 6(1)(c)): we retain records of your acceptance of our Terms and Conditions and Privacy Policy to demonstrate compliance with UK/EU GDPR requirements.
  • Service improvement — aggregate analysis (legitimate interest, Article 6(1)(f)): aggregate, anonymised analysis of how the service is used to improve its performance. This does not involve identifying individual users.
  • AI model training for commercial purposes (consent, Article 6(1)(a)): where you have explicitly opted in via your profile settings, we may use anonymised patterns from your usage (such as which planning applications you viewed or marked as relevant) to train and improve our AI alert and summarisation models, including for commercial purposes. Your name, email address, and property addresses are never included. You may withdraw this consent at any time through your Profile page. Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Marketing emails (consent, Article 6(1)(a)): where you have opted in, we may send you product update and news emails. You may opt out at any time through your Profile page or by clicking the unsubscribe link in any such email.

4. Third Parties We Share Data With

We share your data with the following third parties only to the extent necessary to operate the service:

  • Render (render.com): our web hosting provider. Your data is stored on servers operated by Render. Render Privacy Policy.
  • Neon (neon.tech): our PostgreSQL database provider. Your account and property data is stored in a Neon-managed database. Neon Privacy Policy.
  • OpenAI (openai.com): we send public planning application text to OpenAI to generate AI summaries. We do not send your name, email, or address to OpenAI. OpenAI Privacy Policy.
  • Resend (resend.com): our email delivery provider, used to send alert and digest emails to you. Resend Privacy Policy.
  • Stripe (stripe.com): our payment processor, used for subscription billing. Stripe handles all payment card data directly and we do not store card details. Stripe Privacy Policy.

We do not sell your personal data. We do not share your data with advertisers or any other third parties not listed above.

5. International Data Transfers

Some of our third-party providers (including OpenAI and Resend) are based in the United States. Where your data is transferred outside the UK or EEA, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the relevant authority. By using the service you acknowledge these transfers may occur.

6. Data Retention

  • Account data: retained for as long as your account is active. If you delete your account, your email address and property addresses are deleted within 30 days.
  • Planning application records: retained for up to 3 years to support historical comparison and avoid duplicate alerts.
  • Terms and Privacy Policy acceptance records: retained for 6 years after account closure to demonstrate legal compliance.
  • IP address (at signup): retained for 12 months for security purposes, then deleted.
  • Marketing consent records: retained until consent is withdrawn, plus 6 years thereafter to demonstrate compliance.
  • AI training consent records: retained until consent is withdrawn, plus 6 years thereafter.

7. Your Rights

Under UK GDPR and EU GDPR, you have the following rights:

  • Access (Article 15): request a copy of the personal data we hold about you.
  • Rectification (Article 16): ask us to correct inaccurate data.
  • Erasure (Article 17): ask us to delete your account and personal data ("right to be forgotten").
  • Portability (Article 20): receive your data in a machine-readable format (CSV or JSON on request).
  • Restriction (Article 18): ask us to limit processing of your data in certain circumstances.
  • Object (Article 21): object to processing based on legitimate interest, including profiling.
  • Withdraw consent (Article 7(3)): where we rely on consent (marketing emails, AI training), withdraw it at any time without affecting the lawfulness of prior processing. You can do this via your Profile page or by emailing us.
  • Not be subject to automated decisions (Article 22): we do not make solely automated decisions that produce legal or similarly significant effects about you.

To exercise any of these rights, email us at [email protected]. We will respond within one calendar month (extendable by a further two months for complex requests).

UK users: you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

EU users: you have the right to lodge a complaint with your national data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

8. Cookies

We use only a single session cookie to keep you logged in while you use the site. This cookie is strictly necessary for the service to function and is deleted when you close your browser or log out. We do not use tracking cookies, analytics cookies, or advertising cookies. No third-party cookies are set by our site. As our cookie use is strictly necessary, no cookie consent banner is required under UK PECR or EU ePrivacy rules.

9. Data Security

We use industry-standard measures to protect your data, including encrypted HTTPS connections, hashed password storage (we never store passwords in plain text), and access controls limiting who can access the database. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay.

10. Children

Planning Checker is not intended for use by anyone under the age of 18. We do not knowingly collect data from children. If we become aware that we have collected data from someone under 18, we will delete it promptly.

11. Automated Decision-Making and Profiling

We use automated processing to match planning applications to your registered watches and to generate risk scores for applications near your monitored properties. These automated processes assist you in identifying relevant planning activity but do not produce legal or similarly significant decisions about you. You may review and act on AI-generated summaries independently.

12. Changes to This Policy

If we make significant changes to this policy, we will notify you by email or by displaying a prominent notice on the site at least 14 days before the changes take effect. The "last updated" date at the top of this page always reflects the most recent version.

13. Contact Us

For any privacy-related queries or to exercise your rights, email [email protected]. We aim to respond within one calendar month.