Privacy

Privacy Policy

Last updated: 10 May 2026

Draft — pending solicitor review. Don't take this as the final version.

Plain-English summary

We're Nook — a UK property report service. To give you reports and let you save properties, we hold a small amount of data about you: your email, what you've searched, what you've saved, and (if you've bought a paid document) your purchase record.

We don't sell your data. We don't pass it to advertisers. The few outside companies we use (hosting, payments, error tracking) are listed below in plain language. You can ask us to delete everything we hold on you at any time, in your dashboard.

Who we are

Nook is operated by BRAE Earth Limited, registered in England and Wales, at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ. We're the "data controller" for the personal data described here.

Heads-up: while Nook is in beta, BRAE Earth Limited is the controller. When Nook spins out into its own legal entity (planned post-launch), we'll update this page and email registered users at least 30 days before the change takes effect.

What we collect

Email address — for sign-in and account-related messages.
Name (optional) — only if you sign in with Google, in which case Google passes us your display name.
Properties you search and save — postcodes, UPRNs, addresses, and any labels or notes you add to saved properties.
Purchase records — if you buy a paid document, we record the transaction (Stripe holds the actual card details, we don't).
Technical data — IP address, browser, and pages viewed, in standard server logs and aggregated analytics. We don't tie this to individual accounts in our analytics tool.

Why we collect it (legal basis)

To provide the service (contract): generating your reports, saving your shortlist, processing payments.
To improve the service (legitimate interest): aggregated analytics, error tracking, fraud prevention.
To send you account messages (contract): password resets, share-link emails, change-of-email notifications.

We don't send marketing emails. If we ever start, we'll ask for your separate consent first and you'll be able to unsubscribe at any time.

Who we share it with

The companies below process some of your data on our behalf, only for the purpose listed:

Supabase (database + authentication) — EU-hosted (eu-west-1, Ireland). Your email and account data live here.
Vercel (hosting) — global CDN with US headquarters. Receives requests and serves the site.
Stripe (payments) — only if you buy a paid document. Stripe receives the card details directly; we don't store them.
Plausible Analytics (aggregate analytics) — EU-hosted (Germany). No cookies, no personal data, just aggregate page-view counts.
Sentry (error tracking) — US-hosted. When something breaks, Sentry receives the error stack trace, the URL you were on, your IP address, and standard request headers (browser, OS). We don't tie your email address to events. Used to debug and prevent regressions (legal basis: legitimate interest). Errors are retained for 90 days, then deleted.
Anthropic / Claude (AI report summaries) — US-hosted. Receives the property's data, not your personal data.
Mapbox (maps + geocoding) — US-hosted. Receives postcodes/addresses to convert into coordinates.

For each US-hosted service, we rely on the UK's adequacy decision for the EU-US Data Privacy Framework (where the provider is certified) or Standard Contractual Clauses with additional safeguards. None of this involves selling your data to third parties.

How long we keep it

Account data — for as long as your account is active. Delete your account in the dashboard and it's gone within 30 days, including from backups.
Saved properties + share links — same as your account. Both are scoped to you and removed on account deletion.
Purchase records — retained for 6 years to meet HMRC tax-record requirements, even after account deletion. Stripe also keeps its own records.
Server logs — 30 days, then deleted.
Aggregate analytics — kept indefinitely as anonymous counts (not tied to you).

Your rights

Under UK GDPR (Articles 15–22) you have seven rights over your data. To exercise any of them, email hello@nookuk.com:

Right of access (Art. 15) — ask us for a copy of everything we hold about you.
Right to rectification (Art. 16) — ask us to correct anything that's wrong or out of date.
Right to erasure (Art. 17) — ask us to delete your data. One click in your dashboard does this; gone within 30 days.
Right to restriction (Art. 18) — ask us to stop using your data for specific purposes while a question is being resolved.
Right to data portability (Art. 20) — ask us to send you your data in a machine-readable format (JSON or CSV). We respond within one calendar month.
Right to object (Art. 21) — object to our processing your data on grounds of legitimate interest (e.g. analytics, error tracking).
Right not to be subject to automated decision-making (Art. 22) — we don't make automated decisions that produce legal or significant effects about you. The AI-generated property summaries are descriptive, not decisional.

We respond to all requests within one calendar month. If you're not happy with how we've handled your request, you can complain to the UK's Information Commissioner's Office at ico.org.uk.

Automated decision-making

Property reports include AI-generated summaries (using Claude). These are descriptive — they don't make decisions about you. We don't profile you or use AI to determine pricing, access, or anything else that affects your account.

Cookies

We use a small number of essential cookies for sign-in. Plausible (our analytics) doesn't use cookies at all. Full breakdown on the Cookies page.

Changes to this policy

If we change anything material — for example when Nook becomes its own legal entity — we'll email registered users at least 30 days before the change takes effect. Smaller wording fixes will just bump the "Last updated" date at the top.

Contact

Questions, requests, or concerns: hello@nookuk.com.