GDPR & data residency
Lawful basis, retention, sub-processors. What you can hand to your DPO.
The plain-English version of where data lives, how long we keep it, and what your DPO should know. We're a UK company processing data for UK customers — UK GDPR is the regime.
What we store
| Category | Examples | Lawful basis |
|---|---|---|
| Operator account | Your name, email, password (hashed), brand assets | Contract |
| Catalogue | Locations, products, menus, pricing plans — your business config | Contract |
| Lead data | Guest name, email, phone, event details, GDPR consent | Legitimate interest, with consent for marketing follow-up |
| Quote data | Selected items, totals, comments | Contract (between you and your guest, processed by us) |
| Telemetry | API request logs (no body content), error traces | Legitimate interest |
Data residency
All operator and lead data is stored in UK regions on AWS (London, eu-west-2). No data is processed or stored outside the UK or EEA. If your DPO needs the specifics: our primary RDS database is in eu-west-2, with encrypted backups also in eu-west-2.
Sub-processors
| Sub-processor | What for | Where |
|---|---|---|
| AWS | Hosting, database, queues, backups | UK (eu-west-2) |
| Stripe | Subscription billing | EU |
| Postmark | Transactional email (notifications, password reset) | US, with EU regional storage |
| Cloudflare | CDN, DDoS protection | Global |
The full sub-processor list is updated on Privacy. Subscribe to the page for change notifications.
Retention
- Active operator account — kept indefinitely while you're a customer.
- Closed operator account — wiped after 90 days, except where law requires us to retain (invoicing records: 7 years).
- Lead data — retained for as long as your account is active. Deleting a lead from the dashboard removes it permanently within 24 hours.
- Logs — 90 days, then aggregated and personally non-identifiable.
Guest rights
Your guest is the data subject for the lead data. They have the standard UK GDPR rights: access, rectification, erasure, portability, objection. If a guest contacts you:
- Access / portability — the lead detail page in your dashboard has an Export button.
- Erasure — delete the lead from your dashboard. Permanent within 24 hours.
- Objection — flip GDPR consent to false on the lead. They'll be excluded from any marketing exports.
If a guest contacts us directly at privacy@innkept.com, we'll forward to you and copy you on the resolution.
The DPA
Our standard Data Processing Agreement is available on request — email privacy@innkept.com. It's based on the ICO template with the IDTA addendum for any onward transfers. Most operators don't need to negotiate.
Consent in the configurator
The configurator's last step has a required GDPR consent checkbox. We won't accept a submission without it ticked. The wording is standard:
I agree to the venue contacting me about my enquiry and storing my details for the duration of the conversation.
The text is currently fixed — per-operator wording is on the roadmap.
Something missing or wrong? Tell us.
Updated regularly. UK English. No AI slop.