1. Introduction and Data Controller

1.1 Who We Are: This Privacy Policy describes how Early Tree Limited (Company Number: 14693946), trading as "Inspector Who", collects, uses, stores, and protects your personal information.

1.2 Data Controller: Early Tree Limited is the data controller responsible for your personal data. Our registered office is located at 8 Oak Field, Brayton, Selby, England, YO8 9QZ. The company is directed by Paul Porter-Phillips and Stephanie Porter-Phillips.

1.3 Contact Information:

• Data Protection Officer: dpo@inspectorwho.com
• Privacy Enquiries: privacy@inspectorwho.com
• General Support: support@inspectorwho.com

1.4 Scope: This Privacy Policy applies to all personal data we collect through our website, services, and communications. By using Inspector Who, you consent to the collection and use of your personal data as described in this Privacy Policy.

2. Information We Collect

2.1 Personal Information You Provide

When you register for an account or use our Service, we collect:

• Account Information: First name, last name, email address, password (encrypted)
• Profile Information: Any additional information you choose to provide in your user profile
• Payment Information: Payment method details (processed securely via Stripe; we do not store full credit card numbers)
• Communications: Content of messages you send us, support requests, feedback, and survey responses
• Subscription Preferences: Notification settings, followed inspectors, followed establishments

2.2 Information Automatically Collected

When you access our Service, we automatically collect:

• Usage Data: Pages visited, time spent on pages, search queries, reports viewed, inspectors followed, establishments followed
• Device Information: IP address, browser type and version, operating system, device type, screen resolution
• Log Data: Access times, referring URLs, error logs
• Location Data: Approximate location based on IP address (country and city level only)
• Performance Data: Page load times, server response times, errors encountered

2.3 Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Required for the Service to function (authentication, security, session management)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Understand how you use the Service to improve performance and user experience
• Performance Cookies: Monitor site performance and loading times

You can control cookies through your browser settings, but disabling certain cookies may affect the functionality of the Service.

2.4 Information from Third Parties

• Payment Processors (Stripe): Payment confirmation, transaction status, fraud prevention data
• Public Sources: Inspection data from Ofsted and other regulatory bodies (this is public data and does not contain personal information about users)

3. How We Use Your Information

We use your personal data for the following purposes:

3.1 Service Provision

• Create and manage your account
• Authenticate your identity and maintain security
• Process subscriptions and payments
• Provide access to inspection reports, inspector profiles, and establishment data
• Enable search, follow, and alert functionality
• Deliver email and in-app notifications for followed inspectors and establishments

3.2 Communication

• Send service-related notifications (account confirmations, password resets, subscription renewals)
• Respond to your enquiries and support requests
• Send important updates about the Service, Terms of Service, or this Privacy Policy
• Send marketing communications (only with your consent, which you can withdraw at any time)

3.3 Service Improvement

• Analyze usage patterns to improve Service performance and user experience
• Develop new features and functionality
• Conduct research and analytics
• Monitor and improve data quality and accuracy

3.4 Security and Legal Compliance

• Detect and prevent fraud, abuse, and security incidents
• Enforce our Terms of Service
• Comply with legal obligations and respond to lawful requests
• Protect our rights, property, and safety, and those of our users

4. Legal Basis for Processing (UK GDPR)

We process your personal data under the following lawful bases:

• Contract Performance: Processing necessary to provide the Service and fulfill our contractual obligations to you
• Consent: Where you have given explicit consent (e.g., marketing communications, optional analytics)
• Legitimate Interests: Processing necessary for our legitimate business interests (service improvement, fraud prevention, analytics), balanced against your rights and interests
• Legal Obligation: Processing necessary to comply with applicable laws and regulations

5. How We Share Your Information

We do NOT sell, rent, or trade your personal information to third parties for their marketing purposes.

We may share your personal data in the following circumstances:

5.1 Service Providers

We share personal data with trusted third-party service providers who assist us in operating the Service:

• Stripe: Payment processing and fraud prevention
• Email Service Providers: Sending transactional and notification emails
• Cloud Hosting Providers: Data storage and processing (Azure, AWS, or similar)
• Analytics Providers: Service performance monitoring and improvement

All service providers are bound by data processing agreements and are required to protect your data in accordance with UK GDPR.

5.2 Legal Requirements

We may disclose your personal data if required by law or in response to:

• Court orders, subpoenas, or legal processes
• Requests from law enforcement or government authorities
• Protection of our legal rights or defense against legal claims
• Prevention of fraud, security threats, or illegal activities
• Protection of the safety of any person

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the successor entity, subject to the same privacy protections.

5.4 With Your Consent

We may share your personal data with third parties when you have provided explicit consent.

6. International Data Transfers

6.1 Your personal data is primarily stored and processed in the United Kingdom. However, some of our service providers may process data in other countries.

6.2 When we transfer personal data outside the UK, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
• Adequacy decisions recognizing equivalent data protection standards
• Data Processing Agreements with all third-party processors

6.3 You have the right to obtain copies of the safeguards we use for international transfers by contacting us at privacy@inspectorwho.com.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption: Data in transit protected by TLS/HTTPS encryption; data at rest encrypted in our databases
• Password Security: Passwords hashed using industry-standard bcrypt algorithm
• Access Controls: Role-based access control, multi-factor authentication for administrative access
• Network Security: Firewalls, intrusion detection, DDoS protection
• Regular Audits: Security assessments, vulnerability scanning, penetration testing
• Employee Training: Data protection and security awareness training for all staff
• Incident Response: Documented procedures for detecting, responding to, and reporting security incidents

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

8. Data Retention

8.1 General Retention: We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

8.2 Specific Retention Periods:

• Account Data: Retained until you delete your account, plus 30 days for data recovery
• Payment Records: Retained for 7 years to comply with tax and accounting regulations
• Usage Data and Analytics: Retained for 2 years
• Email Communications: Retained until you unsubscribe or delete your account
• Support Requests: Retained for 3 years for quality assurance and training
• Legal and Compliance Records: Retained as required by applicable law

8.3 Data Deletion: When you delete your account, we will permanently delete or anonymize your personal data within 30 days, except where retention is required by law.

9. Your Rights (UK GDPR)

Under UK GDPR, you have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data in certain circumstances
• Right to Restriction of Processing: Request that we limit how we use your personal data
• Right to Data Portability: Receive your personal data in a structured, machine-readable format and transfer it to another service
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: Complain to the Information Commissioner's Office (ICO) if you believe your rights have been violated

How to Exercise Your Rights:

1. Email your request to privacy@inspectorwho.com
2. Include your account email address for verification
3. Specify which right(s) you wish to exercise
4. We will respond within 30 days (1 month) of receipt

Verification: We may request additional information to verify your identity before processing your request to protect your personal data from unauthorized access.

10. Children's Privacy

10.1 Our Service is not intended for children under the age of 18. We do not knowingly collect personal data from children under 18.

10.2 If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@inspectorwho.com. We will promptly delete such information from our systems.

10.3 By using the Service, you represent and warrant that you are at least 18 years of age.

11. Marketing Communications

11.1 Opt-In: We will only send you marketing communications if you have given explicit consent or where we have another lawful basis.

11.2 Opt-Out: You can unsubscribe from marketing emails at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your notification preferences in Account Settings
• Contacting us at privacy@inspectorwho.com

11.3 Service Communications: Even if you opt out of marketing, we will still send essential service-related communications (account notifications, security alerts, subscription confirmations).

12. Third-Party Links and Services

12.1 Our Service may contain links to third-party websites, including links to Ofsted reports and other regulatory body websites.

12.2 We are not responsible for the privacy practices of third-party websites. We encourage you to review the privacy policies of any third-party sites you visit.

12.3 This Privacy Policy applies only to information collected by Inspector Who.

13. Data Breach Notification

13.1 In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify affected users within 72 hours of becoming aware of the breach
• Notify the Information Commissioner's Office (ICO) as required by UK GDPR
• Provide details of the breach, including the nature of the data affected and the number of individuals impacted
• Describe the likely consequences of the breach
• Outline the measures taken or proposed to address the breach and mitigate potential adverse effects
• Provide contact information for further enquiries

13.2 We maintain an incident response plan and conduct regular security assessments to minimize the risk of data breaches.

14. Automated Decision-Making and Profiling

14.1 We do not use automated decision-making or profiling that produces legal effects or significantly affects you without human intervention.

14.2 We may use automated systems to analyze usage patterns and provide personalized recommendations, but these do not involve automated decisions that significantly affect your rights.

15. Changes to This Privacy Policy

15.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

15.2 We will notify you of material changes by:

• Posting the updated Privacy Policy on this page with a revised "Last Updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice on the Service

15.3 Your continued use of the Service after we publish or communicate notice of changes to this Privacy Policy constitutes your acceptance of the updated Privacy Policy.

15.4 We encourage you to review this Privacy Policy periodically.

16. Complaints and Regulatory Authority

16.1 If you have concerns about how we handle your personal data, please contact us first at privacy@inspectorwho.com. We will investigate and attempt to resolve any complaints.

16.2 You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority upholding information rights:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: https://ico.org.uk
Helpline: 0303 123 1113

17. Contact Us

For privacy-related questions, to exercise your rights, or to contact our Data Protection Officer:

Early Tree Limited trading as Inspector Who
Data Protection Officer: dpo@inspectorwho.com
Privacy Email: privacy@inspectorwho.com
General Support: support@inspectorwho.com
Registered Office: 8 Oak Field, Brayton, Selby, England, YO8 9QZ
Company Number: 14693946
Directors: Paul Porter-Phillips and Stephanie Porter-Phillips