Privacy policy
Last updated: 08/05/2026
1. Who we are
gazetted is a trading name of Public Notice Systems Ltd (company number 17066508), registered in England and Wales. We are the data controller for personal data processed through our platform.
Registered office: 4 Solon Road, London, SW2 5UY.
Registered with the Information Commissioner's Office (ICO), registration number ZC110158.
Contact: notices@gazetted.co.uk
2. What data we collect
We collect the following categories of personal data:
- •Account information: name, email address, company name, phone number, and password (stored in hashed form).
- •Order information: details you provide when placing a statutory notice, including applicant names, addresses, company details, deceased person details (for probate notices), and contact information.
- •Payment information: payment card details are processed by Stripe and are not stored on our servers. We retain transaction references and amounts.
- •Usage data: IP address, browser type, pages visited, and timestamps for security and analytics purposes.
- •Cookies: we use essential cookies (session authentication, cookie consent preference) and optional analytics cookies. See section 12 below for details.
3. How we use your data
We process your personal data for the following purposes:
- •To provide our statutory notice placement service, including generating, placing, and certifying newspaper and Gazette notices.
- •To communicate with you about your orders, including sending proofs, confirmations, and certificates.
- •To process payments through our payment processor, Stripe.
- •To comply with legal obligations, including record-keeping requirements.
- •To improve our services and develop new features.
4. Legal basis for processing
We process your personal data on the following legal bases:
| Processing purpose | UK GDPR Art.6 lawful basis | Why this basis |
|---|---|---|
| Place statutory notices in newspapers and the London Gazette on your behalf | Art.6(1)(b) — contract | Necessary to perform the placement contract you signed up for. |
| Council users acting in discharge of statutory functions (e.g. LA 2003 s.17, HA 1980 s.116, TCPA 1990 s.69) | Art.6(1)(e) — public task | Council notice placement is the discharge of a public-law statutory duty. |
| Send order confirmations, proofs, certificates of publication, and service emails | Art.6(1)(b) — contract | Transactional emails are part of the placement service. |
| Process payments via Stripe (cards, invoices, purchase orders) | Art.6(1)(b) — contract | Necessary to take payment for the service requested. |
| Keep accounting and tax records (invoices, VAT, PO references) | Art.6(1)(c) — legal obligation | Companies Act 2006 s.388 + VAT Act 1994 Sch 11 para 6 require us to keep these. |
| Maintain order audit logs (status transitions, who placed / amended / cancelled) | Art.6(1)(c) — legal obligation | Statutory-notice integrity expectations + Companies Act record-keeping. |
| Detect, prevent, and investigate fraud / abuse / misuse of the platform | Art.6(1)(f) — legitimate interests | Our interest in protecting users, councils and newspapers from fraudulent placements. |
| Platform security: server logs, error monitoring (Sentry), rate-limiting | Art.6(1)(f) — legitimate interests | Necessary to keep the service available and secure; minimal privacy intrusion. |
| Improve the service (bug reports, aggregate usage analytics) | Art.6(1)(f) — legitimate interests | Our interest in improving a service we deliver to you. You can object at any time. |
| Marketing emails (product updates, sector commentary) | Art.6(1)(a) — consent | Opt-in. Withdraw at any time via unsubscribe link or by emailing us. |
| Optional analytics cookies (Vercel Speed Insights) | Art.6(1)(a) — consent | Loaded only after you accept analytics cookies. See §11. |
We do not rely on Art.6(1)(d) (vital interests). We do not process special-category data under Art.9 UK GDPR — probate notices contain personal data of the deceased and applicants, but no health, biometric, racial, religious or other Art.9 categories.
5. Who we share data with
We share personal data with the following categories of recipients:
- •Newspaper publishers: the notice text and applicant details necessary for publication.
- •The London Gazette: notice text and applicant details for Gazette publications.
- •Stripe: payment processing (Stripe's privacy policy applies to payment data).
- •Resend: email delivery service for transactional emails.
- •Supabase: database hosting (data stored in AWS eu-west-1, Ireland).
- •Vercel: application hosting and content delivery.
- •Sentry: error monitoring (may capture IP addresses and technical context when errors occur).
- •Qmuli (AddFast): artwork delivery to newspaper publishers (UK).
- •OpenAI: AI-assisted proof-of-publication verification.
We do not sell your personal data to third parties. We do not share your data for marketing purposes without your explicit consent.
6. Data retention
We keep personal data only as long as we need it. The table below sets out our standard retention periods. Where a longer period is required by law, the legal minimum applies.
| Data class | Retention period | Why |
|---|---|---|
| Account data (name, email, company, phone, hashed password) | For the life of the account, then 24 months after closure | Re-open / dispute window. Hashed passwords irreversibly deleted on closure. |
| Order data (notice text, applicant / deceased / company / premises / planning details) | 7 years from publication or order closure, whichever is later | Statutory-notice evidential value + Limitation Act 1980 s.5 (6-year contract claims) + 1-year buffer. |
| Order audit log (status transitions, actor, reason) | 7 years from order closure | Tied to the order it audits; deletion blocked at DB level (onDelete: Restrict). |
| Invoices, VAT records, PO references, payment-transaction references | 6 years from end of the relevant accounting period | Companies Act 2006 s.388(4)(b) + VAT Act 1994 Sch 11 para 6 + HMRC reg 31 VAT Regs 1995. |
| Payment-card data | Not stored by us at any time | Tokenised by Stripe; we hold only Stripe references and amounts. |
| Council department / spend-limit / RBAC records | For the life of the council account, then 24 months | Procurement-record continuity; mirrors account retention. |
| Saved notice templates | Until you delete the template, or 24 months after account closure | User-controlled; deleted with the parent account. |
| Support tickets and email correspondence | 3 years from ticket closure | Handles repeat-issue context without indefinite retention. |
| Server access logs, security logs, error reports (Sentry) | 90 days | Sufficient for incident response; minimises long-tail exposure. |
| Webhook event log (idempotency) | 12 months | Long enough to defeat duplicate-delivery races; short enough to limit retention. |
| Inbound email parsing residue (unmatched emails) | Up to 90 days after match resolution; up to 180 days for unmatched records (admin escalation at 150 days) | UK GDPR Art.5(1)(e) storage limitation; Art.6(1)(f) legitimate interest in operational matching. Hard-deleted by automated daily purge. |
| Marketing-list membership and consent record | Until you unsubscribe, then 24 months (suppression-list only) | Suppression-list retention is the lawful basis for honouring your withdrawal of consent. |
| Cookies and session tokens | See §11 | Session 8h; consent preference stored in localStorage and a first-party cookie; CSRF session-only; marketing attribution only after “Accept all”. |
| Sub-processor copies (Stripe, Resend, Vercel, Supabase, Sentry, Qmuli, OpenAI) | Per each sub-processor’s policy — see Data Processing Addendum | Each is contractually bound; we do not control their internal retention beyond the DPA terms. |
After a retention period ends, we delete or irreversibly anonymise the data, unless a longer period is required by law (Companies Act 2006, VAT Act 1994, Limitation Act 1980) or to defend a live legal claim. You may request earlier erasure under §7 — we will action requests except where statute requires retention.
7. Your rights
Under the UK GDPR, you have the right to:
- •Access your personal data
- •Rectify inaccurate personal data
- •Erase your personal data (subject to legal retention requirements)
- •Restrict processing of your personal data
- •Data portability
- •Object to processing based on legitimate interests
- •Withdraw consent at any time
- •Lodge a complaint with a supervisory authority — you have the right to lodge a complaint with the Information Commissioner's Office (ico.org.uk) at any time. (UK GDPR Art.77)
To exercise any of these rights, contact us at notices@gazetted.co.uk.
8. Data security
We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS), hashed passwords, access controls, and regular security reviews.
9. Data Protection Officer
gazetted is not required to designate a Data Protection Officer under UK GDPR Article 37 (we do not perform large-scale systematic monitoring or large-scale processing of special-category data). Data protection queries should be directed to notices@gazetted.co.uk.
10. International transfers
Some of our service providers (such as Stripe and Resend) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses and the UK International Data Transfer Agreement. For the full sub-processor list and applicable transfer mechanisms, see our Data Processing Addendum.
11. Cookies
We use the following cookies:
- •Session cookie (authjs.session-token): essential for keeping you signed in. Expires when you close your browser or after 8 hours.
- •Cookie consent preference (cookie-consent in localStorage and gazetted_consent as a first-party cookie): records whether you have chosen “Accept all” or “Reject all”. The cookie lasts up to 12 months so the server can avoid setting optional cookies unless you have accepted them.
- •Marketing attribution cookie (gazetted_utm): optional first-party cookie set only after you choose “Accept all” and visit with campaign parameters such as utm_source or utm_campaign. It stores those campaign parameters and the landing path for up to 12 months, so we can understand which campaigns led to a signup. It is cleared when you choose “Reject all”.
- •CSRF token (authjs.csrf-token): essential for form security. Session cookie.
We do not use third-party advertising or tracking cookies. You can manage your cookie preferences at any time using the cookie banner or your browser settings.
12. Changes to this policy
We may update this privacy policy from time to time. We will notify registered users of material changes by email. The "last updated" date at the top of this page will be revised accordingly.
13. Contact and complaints
If you have questions about this privacy policy or wish to make a complaint, contact us at notices@gazetted.co.uk. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.