Privacy Policy
Last Updated: 2/3/2026
Pertaining to 'https://ratemysociety.co.uk' and all subdomains
privacy@ratemysociety.co.uk1. Introduction
RateMySociety (“we”, “our”, “us”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, process, store, and share personal data when you access or use our website ratemysociety.co.uk.
We operate primarily in the United Kingdom and comply with applicable UK data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We also take into account relevant guidance for EU users under the GDPR.
By using our website, you consent to the practices described in this policy. If you do not agree, you should not use the website.
2. Information We Collect
2.1 Information You Provide Directly
- Account creation: Email address
- Third-party sign-in (Google, Apple, etc.): May include display name, email, and other profile information you authorize
2.2 Information Collected Automatically
- Review submissions: IP address, browser and device fingerprints
- Cookies and local storage: Used to maintain authentication state, identify users for moderation, and prevent automated abuse
2.3 Other Information
We do not knowingly collect data from children under 13. Our service is primarily aimed at students aged 16 and above.
3. Purposes and Legal Basis for Processing
We process your data for the following purposes under the UK GDPR:
| Purpose | Data Collected | Legal Basis |
|---|---|---|
| Account creation and authentication | Email, display name | Legitimate interest |
| Anti-bot measures and moderation | IP address, device/browser info | Legitimate interest |
| Security and website functionality | Cookies and local storage | Legitimate interest |
We do not use your personal data for marketing purposes. Occasionally, we may display paid promotional content from businesses and partners - your personal data is not shared nor used in these adverts.
4. Cookies and Similar Technologies
- Purpose: Maintain authentication sessions, identify returning users, prevent abuse
- Type: Session-only cookies and local storage
- Opt-out: Not available, as cookies are essential for core functionality
We do not use tracking cookies for advertising or analytics.
5. Data Sharing and Third-Party Services
We do not sell or share your personal data with third parties, except to trusted service providers who process data on our behalf. These include:
- Supabase: Backend hosting and authentication services
- Vercel: Website hosting and deployment
These providers are bound by contractual obligations to process personal data securely and only for the purposes specified by us.
6. International Data Transfers
Data is processed on servers located in Ireland (Europe) via Supabase.
To comply with UK and EU data transfer requirements, we rely on appropriate safeguards, including:
- Supabase’s standard contractual clauses (SCCs) or equivalent guarantees for international data transfers
- Ensuring that any processing outside the UK/EU meets UK GDPR adequacy requirements
Users should be aware that transferring data internationally carries inherent risks. We implement all reasonable technical and organizational measures to minimize these risks.
7. Data Retention
- Account Data: Retained while your account is active; deleted upon account closure
- Anti-bot/Moderation Data: IP addresses, device/browser fingerprints, and review metadata may be retained indefinitely for security, moderation, and legal compliance
- Cookies/Local Storage: Cleared when the browser session ends
We regularly review our retention periods to ensure they comply with legal and operational requirements.
8. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
- AES‑256 encryption at rest
- HTTPS for all data transmission
- Row Level Security and authentication controls for database access
- Regular security testing and monitoring
While we strive to protect personal data, no method of transmission or storage is 100% secure.
9. Your Rights
Under the UK GDPR, you may exercise the following rights:
- Right of Access: Request a copy of personal data we hold about you
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data where legally permitted
- Right to Restrict Processing: Request limitations on processing your data
- Right to Object: Object to processing based on legitimate interests
- Right to Data Portability: Receive your data in a structured, machine-readable format
To exercise your rights, email privacy@ratemysociety.co.uk. We aim to respond within 48 hours, though some requests may take longer depending on complexity.
10. Changes to this Policy
We may update this Privacy Policy periodically to reflect changes in law, technology, or our operations.
- A notification banner will be displayed on the website for 7 days after any update
- Continued use of the website after the effective date constitutes acceptance of the updated policy
11. Contact Information
For questions or concerns regarding this Privacy Policy or your personal data:
Email: privacy@ratemysociety.co.uk
Website: https://ratemysociety.co.uk