Privacy Notice
1. Who we are
Codified London Ltd (company number 08440313), trading as GapSense, is the controller of personal data described in this notice. Our registered office is at Kemp House, 160 City Road, London, EC1V 2NX. You can contact us at hello@gapsensehq.com.
2. Scope of this notice
This notice explains how we collect and use personal data when you visit gapsensehq.com or use the GapSense service. It does not apply to third-party sites linked from our service.
3. The dual role of GapSense
GapSense handles two distinct categories of personal data and acts in two capacities:
- As controller, for personal data we collect directly to operate our business, including account data, billing data and website usage data.
- As processor on behalf of our business customers, for personal data contained within planning application documents that customers upload to the service. The customer is the controller of that data; GapSense processes it on the customer's instructions to deliver the service. Customers should refer to their own privacy notices and must have their own lawful basis for that processing.
This notice covers category (a) in detail. Category (b) is governed by the Data Processing Addendum in our Terms.
4. What personal data we collect
Account data: name, email address, employer/organisation, job title, account credentials (passwords are stored only in hashed form).
Billing data: billing contact, billing address, VAT number (where applicable), and invoice history. We do not store full payment card details; our payment processors handle those.
Usage data: pages viewed, actions taken in the service, assessment metadata, IP address, browser type and version, operating system, referral source, and similar technical information.
Communications: emails, support tickets and feedback you send to us.
Personal data in Customer Materials (processor role): personal data contained in planning application documents uploaded by customers, including applicants, agents, objectors, neighbouring residents, professional consultees, and local authority staff named in the documents.
5. How we use personal data and our lawful bases
We use personal data for the following purposes:
| Purpose | Personal data involved | Lawful basis (UK GDPR) |
|---|---|---|
| Providing the service, including creating accounts, authenticating users, and delivering Reports | Account, billing, usage, Customer Materials | Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) for security and service integrity |
| Billing, invoicing, collecting payment, and maintaining financial records | Billing, account | Performance of a contract; legal obligation (Art. 6(1)(c)) (tax, accounting) |
| Improving the service, diagnosing errors, preventing abuse, security and fraud prevention | Usage, account | Legitimate interests (operating and improving a secure service) |
| Sending service communications (changes, outages, updates to these documents) | Account | Performance of a contract; legitimate interests |
| Sending marketing communications to existing business customers about similar services, where not opted out | Account | Legitimate interests (soft opt-in under PECR) |
| Responding to enquiries, support requests and feedback | Account, communications | Legitimate interests; performance of a contract |
| Defending legal claims and complying with legal obligations | Any relevant data | Legal obligation; legitimate interests |
Where we rely on legitimate interests, we have carried out a balancing test to ensure our interests do not override your rights and freedoms. You can ask us for details of that test.
We do not make decisions about you based solely on automated processing that have legal or similarly significant effects on you.
6. Who we share personal data with
We share personal data with the following categories of recipients:
- Cloud hosting providers for the secure storage of account data, application data, and uploaded materials.
- AI model providers for generating the content of Reports from Customer Materials.
- Payment and invoicing processors for processing payments and managing invoices.
- Email delivery providers for sending transactional and service emails.
- Analytics providers for understanding website and service usage.
- Professional advisers, including accountants, auditors and legal advisers, where required.
- Authorities, regulators or courts, where we are legally required to disclose information.
- Prospective or actual acquirers, in connection with a corporate transaction (under appropriate confidentiality terms).
A current list of our sub-processors, including the names and locations of providers, is available on request from hello@gapsensehq.com.
7. International transfers
Some of the providers we use are located outside the UK, including in the United States and the European Economic Area. Where personal data is transferred outside the UK to a jurisdiction that has not been the subject of a UK adequacy regulation, we rely on appropriate safeguards, such as the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses together with the UK Addendum. Copies of the safeguards are available on request.
8. How long we keep personal data
We retain personal data only for as long as is necessary for the purposes set out in this notice, or as required by law. Our default retention periods (reviewed periodically) are:
| Category | Retention period |
|---|---|
| Account data | For the duration of the account, plus 12 months after closure |
| Billing and financial records | 6 years, to comply with UK tax law |
| Usage and server logs | 12 months |
| Reports and associated Customer Materials (customer-uploaded applications) | 24 months from the date of the Assessment, unless the customer instructs earlier deletion |
| Public planning application records scraped from Local Planning Authority portals | Retained as commercial dataset material without a fixed cut-off. These are public records published by the LPA and do not contain personal data outside what is already publicly disclosed by the LPA. |
| Support communications | 36 months |
| Marketing suppression lists | Indefinitely, to honour opt-outs |
After the retention period, we delete or anonymise the data.
9. Your rights
Under UK GDPR you have the following rights in respect of personal data we hold about you as controller:
- Access: to be told whether we hold your personal data and to receive a copy.
- Rectification: to have inaccurate or incomplete data corrected.
- Erasure: to have your data deleted in certain circumstances.
- Restriction: to ask us to limit our use of your data in certain circumstances.
- Portability: to receive your data in a structured, commonly used, machine-readable format, where we rely on consent or contract and the processing is automated.
- Objection: to object to processing based on legitimate interests, and to object to direct marketing at any time.
- Withdraw consent: where we rely on consent, you can withdraw it at any time (without affecting the lawfulness of processing before withdrawal).
To exercise any of these rights, email hello@gapsensehq.com. We may ask for reasonable information to verify your identity before responding. We will respond within one month, unless the request is complex or you have made multiple requests, in which case we may extend by a further two months and tell you why.
If your personal data is held by us as processor on behalf of a business customer (for example, because you appear in a planning application uploaded to the service), you should direct your request to that customer. We will assist the customer in responding.
10. Making a complaint
You can complain to the Information Commissioner's Office (ICO) about how we handle your personal data:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Telephone: 0303 123 1113. Website: ico.org.uk.
We would, however, appreciate the chance to address your concerns first. Please contact us at hello@gapsensehq.com.
11. Security
We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss or alteration, including encryption in transit, access controls and regular review of our practices. No system is completely secure, and we cannot guarantee the security of information transmitted to or from us.
12. Cookies
We use a small number of cookies:
- Strictly necessary (authentication). When you sign in to the GapSense service at planning.gapsensehq.com, we set a session cookie that keeps you signed in and a CSRF-protection cookie that guards form submissions. These cookies are essential for the service to work; you cannot opt out of them while using your account.
- Analytics (Google Analytics). On gapsensehq.com we use Google Analytics to understand how visitors find and use the site. Google Analytics sets cookies (typically prefixed
_ga) to distinguish visitors and sessions. This data is processed on our behalf by Google LLC. Your IP address is truncated before storage.
You can block or delete cookies in your browser settings. Blocking the authentication cookies will prevent you from signing in. To opt out of Google Analytics specifically, you can install Google's browser opt-out add-on.
We do not use advertising or cross-site tracking cookies.
13. Changes to this notice
We may update this notice from time to time. Material changes will be notified by email to account holders or by notice within the service before they take effect. The "last updated" date at the top of this notice shows when the current version took effect.