Legal
Privacy Policy
Last updated 13 July 2026
This policy explains what personal data Cache collects, why, and what rights you have. It is written to comply with UK GDPR and the Data Protection Act 2018.
1. Who is responsible
The data controller is Cache — [COMPANY DETAILS — registered name, company number, registered office and contact email to be inserted before launch]. Contact us about anything in this policy using those details.
2. What we collect
- Account data — name, email, password (stored hashed), optional phone number.
- Listing data — the address of a listed space, photos, size and access details. Publicly we show only the street and postcode district; the full address is shared with a renter only once a booking is contracted.
- Business verification (KYB) data — business name, company number, VAT number, contact details, submitted for verification review.
- Booking and visit records — requests, contracts, schedules, check-ins/check-outs, missed-visit records and strikes.
- Evidence photos — condition and visit photos uploaded by the parties, kept as the record both sides rely on in a dispute.
- Messages — booking-scoped messages between host and renter. Note that message bodies pass through automated contact-detail redaction (email addresses and phone-number-like text are removed) before they are stored; admins can read threads for dispute resolution.
- Payment records — amounts, dates and references for rent, deposits and payouts. When live payment processing launches, card and bank details will be handled by our payment provider (expected: Stripe) and never stored by Cache.
- Operational logs — emails we send you, admin audit records, and technical logs needed to run and secure the service.
3. Why we use it (purposes and lawful bases)
- Running the marketplace — accounts, listings, bookings, contracts, payments, messages, visit scheduling: performance of a contract.
- Verification, strikes and dispute resolution — keeping both sides safe and honest: legitimate interests (and, for some KYB checks, legal obligation).
- Service emails — booking events, visit reminders, policy notices: performance of a contract. Marketing email, if we ever send it, will be opt-in: consent.
- Security and abuse prevention — rate limiting, fraud and circumvention detection: legitimate interests.
4. Who processes it for us
- Cloudflare — hosting, database, file storage (listing and evidence photos) and content delivery.
- Resend — transactional email delivery.
- Stripe — payment processing, once live payments launch.
These providers act as processors under contracts that meet UK GDPR requirements. Where data leaves the UK, it does so under recognised safeguards (adequacy or standard contractual clauses).
5. How long we keep it
- Account and booking records — for as long as your account is open, then for the period needed for legal and tax obligations [retention periods to be confirmed on review].
- Evidence photos and visit records — kept for the dispute window after a booking ends [length to be confirmed on review], then deleted.
- Messages — kept while the booking's parties may still need them (including disputes), on the same schedule as evidence.
- Email and audit logs — kept on a rolling operational basis.
6. Your rights
You have the rights UK GDPR gives you: access to your data, rectification, erasure (where it applies), restriction, portability and objection. Contact us using the details in section 1 and we will respond within one month.
If you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO) — ico.org.uk — though we would appreciate the chance to sort it out first.
7. Cookies
Cache uses essential session cookies only — the cookies that keep you signed in and keep the site secure. No analytics cookies, no advertising cookies, no tracking. That is the whole list, which is why there is no cookie banner.
8. Changes
If this policy changes materially we will email account holders before the change takes effect.