Privacy Policy
Last updated: 1 March 2026
1. Who we are
1.1 Planning Appeals is a service operated by Milk Street Group Ltd, a company registered in England and Wales under company number 17028935, whose registered office is at 14a Queen Square, Bath, BA1 2HN (the “data controller”).
1.2 For any questions about how we handle your personal data, or to exercise any of your rights under data protection law, please contact us at privacy@planningappeals.co.uk.
1.3 We are not required to appoint a Data Protection Officer. All data protection enquiries are handled by the privacy team at the address above.
2. What data we collect
2.1 We collect the following categories of personal data:
| Category | Data | When collected |
|---|---|---|
| Account data | Name, email address, company name, job title | When you create an account |
| Authentication data | Hashed password, or Google/Microsoft SSO tokens | When you sign in |
| Billing data | Name, billing address, payment card details (processed and stored by Stripe — we do not store your full card number) | When you subscribe to a paid plan |
| Usage data | Search queries, saved searches, collections, alerts, feature interactions, pages visited | When you use the Service |
| Technical data | IP address, browser type and version, device type, operating system, referring URL | Automatically when you visit the site |
| Support data | Name, email address, contents of your correspondence | When you contact support |
2.2 We do not collect any special category data (such as health, ethnicity, political opinions, or biometric data).
3. How we use your data
3.1 We use your personal data for the following purposes:
- Providing the Service — creating and managing your account, processing your searches, delivering saved search alerts and case tracking notifications, and enabling you to save and organise your research.
- Billing and payments — processing subscription payments, managing invoices, and handling refund or billing queries via Stripe.
- Service communications — sending you emails that are part of delivering the Service, as described in section 5.
- Product improvement — understanding how the Service is used so we can improve features, fix issues, and develop new functionality. This includes analysing usage patterns and feature engagement through our analytics provider.
- Aggregated insights — creating anonymised, aggregated datasets from usage patterns to improve the Service and develop new products and features, as described in our Terms of Service (clause 9.4). Aggregated data does not identify you personally.
- Security and fraud prevention — detecting and preventing unauthorised access, abuse, and other security threats.
- Legal obligations — retaining billing records as required by HMRC, and responding to lawful requests from authorities.
3.2 We will never sell your personal data to third parties. We will never use your personal data for advertising or ad targeting.
3.3 We may use anonymised and aggregated information about how the Service is used (such as the types of organisations using the Service, or usage patterns by sector or region) to inform our own marketing and business development activities. This information will never identify you individually or disclose that any specific person or organisation is a user of the Service without their prior consent.
4. Legal bases for processing
4.1 Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for each type of processing. The legal bases we rely on are:
| Purpose | Legal basis |
|---|---|
| Providing the Service, managing your account | Contract — necessary for the performance of our contract with you (the Terms of Service) |
| Billing and payment processing | Contract — necessary to fulfil our billing obligations |
| Service communications (account, alerts, billing, product updates) | Legitimate interest — necessary to deliver and operate the Service you have signed up for |
| Analytics and product improvement | Legitimate interest — understanding usage helps us improve the product for all users |
| Aggregated insights | Legitimate interest — anonymised data used to improve and develop the Service |
| Security and fraud prevention | Legitimate interest — protecting the Service and our users |
| Retaining billing records | Legal obligation — required by HMRC for tax and accounting purposes |
4.2 Where we rely on legitimate interest, we have conducted a balancing assessment to ensure our interests do not override your rights and freedoms. You may object to processing based on legitimate interest at any time by contacting us at privacy@planningappeals.co.uk.
5. Service communications
In plain terms: By using Planning Appeals, you'll receive emails that are part of the service — things like alert digests, billing confirmations, and important product updates. These aren't marketing emails. They're how the product works.
5.1 As part of providing the Service, we will send you the following types of email communication:
- Account notifications — registration confirmation, password resets, security alerts, and account status changes (such as trial expiry or subscription changes).
- Alert digests — daily or weekly emails delivering new cases matching your saved search criteria, as configured by you in your account settings.
- Case tracking updates — notifications when a pending case you are tracking receives a decision or new documents.
- Billing communications — payment confirmations, invoices, failed payment notifications, and subscription renewal notices.
- Service updates — important changes to the Service, planned maintenance, new features, and product announcements directly related to the Service.
5.2 These communications are a necessary part of delivering the Service and are sent on the basis of our contract with you and our legitimate interest in operating the Service effectively. They do not require separate consent.
5.3 You can control the frequency and type of alert digests and case tracking notifications through your account settings. Account, billing, and security notifications cannot be opted out of while your account is active, as they are essential to the operation of the Service.
6. Cookies
6.1 We use cookies and similar technologies on the Service. A cookie is a small text file placed on your device by your web browser.
6.2 The cookies we use fall into the following categories:
| Category | Purpose | Examples | Consent required |
|---|---|---|---|
| Strictly necessary | Authentication, session management, security. The Service cannot function without these. | Session tokens, CSRF protection | No |
| Functional | Remembering your preferences and view states (such as compact vs full result view, map position). | UI preference cookies | No |
| Analytics | Understanding how the Service is used so we can improve it. Data is anonymised and not shared with third parties for advertising. | Analytics service | You can block analytics cookies through your browser settings |
6.3 We do not use any advertising or tracking cookies. No data collected through cookies is shared with advertising networks or used for ad targeting.
6.4 You can control which cookies are set through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling strictly necessary cookies may prevent the Service from functioning correctly. Information about managing cookies in your browser is available at aboutcookies.org.
7. Third-party service providers
7.1 We share personal data with the following third-party service providers (sub-processors) who process data on our behalf:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Name, email, billing address, payment card details | US (SCCs/IDTA) |
| Google Workspace | Email and support communications | Name, email address, support correspondence | US (SCCs/IDTA) |
| Hosting provider | Hosting and content delivery | IP address, technical data, usage data | US (SCCs/IDTA) |
| Database provider | Database and authentication | Account data, usage data, authentication data | US (SCCs/IDTA) |
| Analytics provider | Product analytics | Anonymised usage data, technical data | EU |
| Error monitoring provider | Error tracking and performance monitoring | Anonymised user identifier, browser information, error details | US (SCCs/IDTA) |
| Email delivery provider | Transactional email delivery | Name, email address | US (SCCs/IDTA) |
7.2 We also use third-party machine learning providers to extract inspector reasoning from appeal decision letters. These providers process Crown copyright decision letter text published by government bodies under the Open Government Licence. We design these processes to avoid sending user personal data to these providers. Decision letters may contain personal data of third parties (such as names and addresses of appellants, agents, and inspectors) that is already in the public domain.
7.3 All sub-processors who handle personal data are bound by data processing agreements. We only share the minimum data necessary for each provider to perform their function.
7.4 We will not share your personal data with any other third party except where required by law or with your explicit consent.
7.5 We may use additional infrastructure and service providers in the operation of the Service. Where any such provider processes personal data on our behalf, they are bound by appropriate data processing agreements. The providers listed above are those that meaningfully process user personal data as part of the Service.
8. International data transfers
8.1 Some of our third-party service providers are based outside the United Kingdom, primarily in the United States. This means your personal data may be transferred to, stored, and processed in countries outside the UK.
8.2 Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:
- the UK International Data Transfer Agreement (IDTA);
- the EU Standard Contractual Clauses (SCCs) with the UK addendum, where applicable; and
- transfers to countries or organisations that the UK government has determined provide an adequate level of data protection.
8.3 We use third-party machine learning providers to extract inspector reasoning from appeal decision letters. These providers process Crown copyright decision letter text published by government bodies under the Open Government Licence. We design these processes to avoid sending user personal data to these providers, though decision letters may contain personal data of third parties (such as appellant names and site addresses) that is already in the public domain.
9. Data retention
9.1 We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are:
| Data type | Retention period | Reason |
|---|---|---|
| Account data and user content (saved searches, collections, alerts) | Deleted 90 days after account cancellation | Grace period for reactivation; then no longer needed |
| Billing and payment records | 7 years from date of transaction | Required by HMRC for tax and accounting purposes |
| Support correspondence | 2 years after last contact | Resolution of ongoing issues and quality assurance |
| Anonymised, aggregated usage data | Retained indefinitely | Product improvement and insights development; data does not identify individuals |
| Analytics data | In accordance with our analytics provider's retention settings | Product analytics and improvement |
9.2 When personal data reaches the end of its retention period, it is securely deleted or anonymised so that it can no longer be associated with you.
10. Your rights
10.1 Under UK data protection law, you have the following rights in relation to your personal data:
- Right of access — you can request a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct any inaccurate or incomplete personal data.
- Right to erasure — you can ask us to delete your personal data where there is no compelling reason for us to continue processing it.
- Right to restriction — you can ask us to suspend the processing of your personal data in certain circumstances.
- Right to data portability — you can request a copy of your personal data in a structured, commonly used, machine-readable format.
- Right to object — you can object to processing based on legitimate interest. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
10.2 To exercise any of these rights, please contact us at privacy@planningappeals.co.uk. We will respond to your request within one month. In exceptional circumstances, we may extend this by a further two months, in which case we will inform you and explain the reason for the delay.
10.3 We will not charge a fee for responding to a data rights request unless the request is manifestly unfounded or excessive.
10.4 We may ask you to verify your identity before processing your request, to ensure we do not disclose personal data to the wrong person.
11. Children
11.1 The Service is designed for use by professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18.
11.2 If you believe we have inadvertently collected personal data from a person under 18, please contact us at privacy@planningappeals.co.uk and we will delete it promptly.
12. Changes to this policy
12.1 We may update this Privacy Policy from time to time. The current version will always be available at planningappeals.co.uk/privacy with the “Last updated” date shown at the top of the page.
12.2 For material changes that affect how we process your personal data, we will notify you by email at least 30 days before the changes take effect.
12.3 We encourage you to review this policy periodically to stay informed about how we protect your data.
13. Contact and complaints
13.1 If you have any questions or concerns about this Privacy Policy or how we handle your personal data, please contact us at privacy@planningappeals.co.uk.
13.2 You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
13.3 We would appreciate the opportunity to address your concerns before you contact the ICO. Please reach out to us first and we will do our best to resolve the matter.