Data City Innovations Ltd Last updated: 31.03.2026
1.1 This Privacy Policy applies to the Data City's Industry Engine platform, accessed at products.thedatacity.com and via our API (the "Platform"). It does not apply to our marketing website (www.thedatacity.com), which has its own separate Privacy Policy.
1.2 The Platform is operated by Data City Innovations Ltd ("we", "us", "our"), a company incorporated in England and Wales under company number 10958787. Our registered office is Consort House, 12 South Parade, Leeds, LS1 5QS.
1.3 We are committed to complying with our obligations under the Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), and all other applicable UK data protection legislation (together, "Data Protection Law").
1.4 This policy covers two distinct categories of personal data processing:
1.5 We may update this policy from time to time. Any changes will be posted on this page with an updated date at the top.
2.1 Our data protection contact is James Bell. If you have any questions about this policy or wish to exercise your rights, please contact us at:
2.2 If you are unhappy with how we handle your personal data, you have the right to complain to the Information Commissioner's Office (ICO):
3.1 When you register for and use the Platform, we collect the following personal data about you:
|
Category of personal data |
What it includes |
Purpose |
Lawful basis |
Retention period |
|
Account registration data |
Name, work email address |
To create and administer your platform account; to provide you with access to the Platform and Licensed Data; to communicate with you about your account |
Performance of contract |
For the duration of your account, plus 6 years following termination |
|
Platform usage data |
Login activity, features accessed, data queries made, download activity, error logs |
To operate, maintain and improve the Platform; to monitor compliance with licence terms; to diagnose and resolve technical issues |
Legitimate interests (operating and improving the Platform; ensuring licence compliance) |
12 months rolling, then anonymised or deleted |
|
Communications data |
Records of emails and support communications between you and us |
To provide customer support; to maintain records of our relationship |
Legitimate interests (managing our customer relationships disputes or claims) |
6 years from the date of the communication |
|
Transactional email data |
Email address, email delivery status, timestamps (stored by SendGrid) |
To send transactional emails (e.g. password resets, account notifications) and to maintain delivery records |
Performance of contract |
6 months, then deleted from SendGrid logs |
|
Billing and payment data (outside of platform) |
Organisation name, invoice records; GoCardless payment records where applicable |
To manage invoicing and payment for platform access |
Performance of contract; legal obligation (financial record-keeping) |
7 years from date of transaction (in accordance with HMRC requirements) |
3.2 We collect only the minimum personal data necessary to provide the Platform. We do not collect payment card details directly; where Direct Debit is used, this is processed by GoCardless in accordance with their own privacy policy.
4.1 We use the following tools within the Platform to monitor performance, understand usage and improve the user experience:
|
Technology |
Provider |
Purpose |
Basis |
|
Error monitoring |
Sentry |
To automatically detect, log and alert us to application errors and performance issues |
Legitimate interests (maintaining platform stability and security) |
|
Session recording and heatmaps |
Hotjar |
To record anonymised user sessions and generate heatmaps to improve platform design and usability |
Legitimate interests (improving the Platform) |
4.2 Hotjar does not capture passwords or payment information. Session recordings are used solely for internal product improvement purposes and are not shared with third parties.
5.1 We do not sell your personal data. We may share it in the following circumstances:
6.1 The following third parties process platform user personal data on our behalf:
|
Sub-processor |
Location |
Purpose |
|
Microsoft Azure |
United Kingdom |
Platform hosting and infrastructure |
|
HubSpot |
USA (UK adequacy safeguards in place) |
CRM and customer communications |
|
GoCardless |
United Kingdom |
Direct Debit payment processing (where applicable) |
|
SendGrid (Twilio) |
USA (UK adequacy safeguards in place) |
Transactional email delivery |
|
Sentry |
USA (UK adequacy safeguards in place) |
Error monitoring and performance logging |
|
Hotjar |
EEA (UK adequacy safeguards in place) |
Session recording and heatmaps |
6.2 Where sub-processors are located outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR, including standard contractual clauses or reliance on adequacy decisions where applicable.
7.1 Under Data Protection Law, you have the following rights in relation to your personal data:
|
Right |
What it means |
|
Access |
To request a copy of the personal data we hold about you |
|
Rectification |
To request correction of inaccurate or incomplete data |
|
Erasure |
To request deletion of your data in certain circumstances |
|
Restriction |
To request that we limit processing of your data in certain circumstances |
|
Portability |
To receive your data in a structured, machine-readable format in certain circumstances |
|
Objection |
To object to processing based on legitimate interests |
7.2 To exercise any of these rights, please contact us at [email protected]. We will respond within one month. We may ask you to verify your identity before acting on your request.
7.3 Please note that some rights are subject to limitations under Data Protection Law -for example, we may need to retain certain data to comply with legal obligations or to establish, exercise or defend legal claims.
8.1 Who this section is for
This section is for individuals whose personal data may appear within the Data City dataset - for example, if your name, job title or work email address appears on a company website that we have collected data from. This is separate from your rights as a platform user.
8.2 What data we hold and where it comes from
As part of building and maintaining our business intelligence platform, we collect data on UK companies from a range of publicly available sources. In doing so, we may incidentally collect limited personal data about individuals associated with those companies.
The personal data we may hold about you includes:
This data is collected from the following sources:
|
Source |
Description |
|
Company websites |
We collect publicly available information from company websites, which may include named contacts, job titles and work email addresses published on those websites |
|
Companies House |
Publicly available company registration data, which may include director names and registered addresses |
|
Other public web sources |
Other publicly available online sources relevant to UK business activity |
We also receive data from licensed third-party providers including Creditsafe, Lightcast and Dealroom. Where personal data is received from these providers, it is subject to their own data collection terms and their compliance with Data Protection Law.
8.3 Why we hold this data and our lawful basis
We collect and process this data for the purpose of providing a business intelligence platform that helps our customers understand the UK economy, identify companies operating in emerging sectors, and analyse industrial trends.
Our lawful basis for processing this personal data is legitimate interests under Article 6(1)(f) UK GDPR.
We consider our legitimate interests to be: providing accurate, comprehensive business intelligence data to organisations involved in economic research, investment, policy-making, and business development.
We have assessed that:
8.4 How this data is made available
The personal data within our dataset may be accessed by our platform licensees (businesses and organisations who have purchased a licence to use the Platform). Licensees access this data for purposes including economic research, sector analysis, investment research and business development. All licensees are bound by contractual restrictions on how they may use the data.
Personal data is not presented as a standard field in every data export. Work email addresses and individual contact details are available as an optional field that licensees may choose to include.
8.5 How long we keep this data
|
Data type |
Retention period |
|
Scraped personal data (names, job titles, work emails) |
3 months from the date of collection, after which it is deleted or refreshed |
|
Platform database backups |
Daily backups retained for 7 days; weekly backups retained for 4 weeks |
Our scraping activity is ongoing. Where data is refreshed, the retention period restarts from the date of the most recent collection.
8.6 Your rights as an individual in our dataset
If your personal data appears within our dataset, you have the following rights under Data Protection Law:
|
Right |
What it means in this context |
|
Access |
To request confirmation of whether we hold personal data about you, and if so, to receive a copy |
|
Erasure |
To request that we delete your personal data from our dataset. We will action this promptly and record your details to ensure your data is not re-collected in future scraping activity |
|
Rectification |
To request correction of any inaccurate personal data we hold about you |
|
Restriction |
To request that we restrict processing of your personal data in certain circumstances |
|
Objection |
To object to our processing of your personal data. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests |
8.7 To exercise any of these rights, please contact us at [email protected] with the subject line "Data Rights Request". Please include your name, the company you are or were associated with, and your work email address if known, so that we can locate your data. We will respond within one month.
8.8 We will not use individual contact data collected through scraping to contact those individuals directly for marketing purposes.
9.1 We implement appropriate technical and organisational measures to protect personal data held on our Platform against unauthorised access, loss, disclosure or destruction. These measures include access controls, encryption in transit, and regular security monitoring via Sentry.
9.2 In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, and affected individuals where required.
10.1 This policy is governed by the laws of England and Wales.