Legal

Privacy notice.

How we handle the personal data of customers, family members named on assessments, and visitors to this website.

Draft — pending solicitor review

This Privacy Notice is a structural draft. The detailed legal wording is being prepared by our solicitor and will replace the placeholder sections below. Until then, please contact us with any specific questions and do not rely on this document for legal interpretation.

Last updated: TODO. We are the data controller for information you provide to us. Contact details are at the bottom of this page.

1. Who we are

To be added by client: Controller name, ICO registration number if registered, postal address, DPO / privacy contact email.

2. What personal data we collect

We collect personal data in four broad categories:

  • Account details — your name, email, password (hashed), and authentication identifiers.
  • Family research details — surnames, ancestral village/district/state, names and approximate dates for family members, previous pilgrimage visits, and any documents, photographs or audio recordings you upload.
  • Payment data — handled by Stripe; we store transaction IDs and amounts, not card numbers.
  • Technical data — IP address, browser type, pages viewed, and cookies as described in our Cookie Notice.

3. Lawful bases for processing

To be added by client: Map each purpose (contract performance, legitimate interests for fraud prevention/analytics, consent for marketing, legal obligation for tax/records) to a UK GDPR Article 6 basis. Address Article 9 special-category data only if collected.

4. Information about other family members

To carry out ancestral research, you will share information about relatives — including some who may be living. By submitting their details you confirm you have a lawful basis to do so and, where required, have informed them.

To be added by client: Detailed treatment of third-party personal data, including any cases where we may need explicit consent from the named individual.

5. Who we share data with

We share personal data only as necessary for the service:

  • Researchers in Haridwar — to enable them to search the relevant registers. They see only the family details needed for their visit.
  • Hereditary priests — limited identifying details so they can locate your family's pages. See our Overseas Data Processing notice for the safeguards that apply.
  • Service providers — Stripe (payments), our cloud hosting and email providers, transcription/translation specialists where used.
  • Authorities — where required by law.

To be added by client: Named sub-processors, transfer mechanisms (SCCs, UK IDTA), and frequency of review.

6. International transfers

Most research happens in India. Transfers outside the UK are described in our Overseas Data Processing notice, including the safeguards we use.

7. How long we keep your data

To be added by client: Retention periods per data category (account: while account active + N years; case files: N years after completion; financial records: 6/7 years per HMRC; marketing: until consent withdrawn).

8. Security

To be added by client: Encryption in transit and at rest, access controls, staff training, breach-notification procedures.

9. Your rights

You have the right to:

  • access a copy of your personal data;
  • have inaccurate data corrected;
  • request deletion (where applicable);
  • restrict or object to processing;
  • data portability;
  • withdraw consent at any time where consent is the basis.

To exercise any right, contact us. You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk).

10. Children

To be added by client: Service is not directed at under-18s; statement on accounts.

11. Changes to this notice

To be added by client: How material changes are communicated to customers.

12. Contact

To be added by client: Privacy contact email, postal address, DPO if appointed.