Legal

Privacy Policy

Last updated: 1 May 2026 · SubSeat Ltd

1. Who We Are

SubSeat Ltd ("SubSeat", "we", "us", "our") operates the SubSeat platform at subseat.co.uk. We are a UK-registered company and act as the data controller for personal data collected through our platform.

If you have any questions about this Privacy Policy or how we handle your data, please contact us at hello@subseat.co.uk.

2. What Data We Collect

Account Data

  • Full name, email address and phone number
  • Date of birth (optional, used for birthday offers)
  • Profile photo (optional)
  • Password (stored encrypted — we never see your password)

Booking & Subscription Data

  • Booking history, appointment times and services booked
  • Subscription plan details and payment history
  • Preferred professionals and businesses

Business Data (for business accounts)

  • Business name, address, category and contact details
  • Staff information (names, roles, working hours)
  • Service listings and pricing
  • Stripe account information (handled directly by Stripe)

Walk-In / QR Data

  • Name and phone number captured via QR check-in
  • Email address (optional, if provided)
  • Marketing consent preference

Technical Data

  • IP address, browser type and device information
  • Pages visited and time spent on the platform
  • Cookies and session data

3. How We Use Your Data

  • To provide and operate the SubSeat platform
  • To process bookings, subscriptions and payments
  • To send booking confirmations and appointment reminders via email and WhatsApp
  • To send marketing messages where you have given consent
  • To improve our platform and fix technical issues
  • To comply with legal obligations
  • To detect and prevent fraud or abuse

4. Legal Basis for Processing

We process your personal data under the following lawful bases under UK GDPR:

  • Contract — to fulfil bookings and subscriptions you have entered into
  • Legitimate interests — to improve our platform and prevent fraud
  • Consent — for marketing communications (you can withdraw at any time)
  • Legal obligation — where required by law

5. Who We Share Your Data With

We do not sell your personal data. We share data only with trusted third parties necessary to operate SubSeat:

  • Stripe — payment processing (they handle card data directly)
  • Supabase — secure database hosting
  • Resend — email delivery
  • Vercel — platform hosting
  • Businesses on SubSeat — your booking details are shared with the business you book with

All third parties are bound by data processing agreements and handle your data securely.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide our services. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (typically 6 years for financial records).

7. Your Rights

Under UK GDPR, you have the following rights:

  • Right to access — request a copy of your personal data
  • Right to rectification — correct inaccurate data
  • Right to erasure — request deletion of your data
  • Right to portability — receive your data in a portable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — for marketing at any time

To exercise any of these rights, email us at privacy@subseat.co.uk. We will respond within 30 days.

8. Account & Data Deletion

You have the right to request full deletion of your SubSeat account and personal data at any time.

How to request deletion

  • Email privacy@subseat.co.uk with the subject line "Account Deletion Request"
  • Include your registered email address and full name
  • We will confirm receipt within 48 hours
  • Deletion will be completed within 30 days of your request

What gets deleted

  • Your account credentials and profile information
  • Your booking history and subscription records
  • Any uploaded images or business content
  • Your contact preferences and notification settings

What we must retain

  • Financial transaction records for up to 6 years as required by UK law
  • Records required for ongoing legal disputes or chargebacks

Please note: active subscriptions must be cancelled before account deletion can be completed. Deleted accounts cannot be recovered.

9. Cookies

SubSeat uses essential cookies to keep you logged in and operate the platform. We do not use advertising or tracking cookies. You can disable cookies in your browser settings, though this may affect platform functionality.

10. Security

We take security seriously. All data is encrypted in transit (HTTPS) and at rest. Passwords are hashed and never stored in plain text. Payment data is handled entirely by Stripe and never stored on our servers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via a notice on the platform. The date at the top of this page shows when it was last updated.

12. Contact & Complaints

If you have concerns about how we handle your data, please contact us first at hello@subseat.co.uk. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

SubSeat Ltd · hello@subseat.co.uk · subseat.co.uk · UK Registered Company