Data Processing

Outlined in this document is a concise overview of how modern data protection law (namely, GDPR) relates specifically to Ideal Postcodes as your data processor (or subprocessor).

The exact details can be found in the Terms of Service (Part 2: Data Protection)

What will change after May 25th 2018

We have updated our Terms of Service to incorporate a Data Protection section which will provide you contractual assurance that we uphold the requirements of GDPR.

The CSV Export API (/keys/:key/lookups) will have reduced functionality. We will not return IP address or address query data which is older than 28 days (as these data points will be irreversibly redacted). By June 2018, any personal data older than 28 days will be redacted. Furthermore, you may also opt to discard this data altogether.

What personal data do we process and why

Our aim is to collect as little information (personal or otherwise) through you as possible, while providing a service that is secure, reliable, fast and accurate as reasonably possible.

This means we will only collect information about you if it is required to:

  • Provide you access to our services
  • Secure our services from malicious activity
  • Measure the performance of our services (i.e. speed, reliability and accuracy) with a view to implementing improvements

As such, we currently only intercept the following datapoints:

  1. Address Queries
  2. Browsing Data (for client side integrations only)
  3. Sublicensee Data (for users of our sublicensing platform)

1. Address Queries

We store addressing query strings both in our server logs and for your retrieval via the /keys/:key/lookups API.

Needless to say, this data is required for short term reasons in order to perform our role in validating and cleansing addresses.

We keep this data for up to 28 days. Internally this allows us to diagnose performance issues (i.e. slow running queries) and provide us with actionable data to improve our service. It is also a useful resource for clients integrating against the API or diagnosing buggy integrations.

2. Browsing Data

By browsing data we mean anything we can extract from the HTTP request sent to us. This includes IP address as well as HTTP headers (language, user-agent, origin and refer(r)er being the most salient). Typically this data is stored in the form of server logs.

We only intercept this in the form of personal data if you have developed a client side integration. If you have a server or proxied integration, there is a good chance we don't receive this data at all.

Browsing data is collected short term for rate limiting and whitelisting purposes.

We also store this information for up to 28 days. Historically we have found it indispensable for providing a useful paper trail to analyse any suspicious activity and allowing us to effectively troubleshoot any issues. There are also a significant ad-hoc instances where being able to query over recent server logs has been immensely useful for clients with non-standard support requests.

3. Sublicensee Name and Address

For users of the Sublicensing Platform, we also need to store the names and addresses of sublicensed organisations and submit these to Royal Mail.

We are contractually required to preserve this information for 6 years.

Who are our subprocessors?

Some or all of the personal data we process will pass through a subprocessor. These are outlined below

Vendor Activity Website
Amazon Web Services (AWS) Hosting https://aws.amazon.com/
DigitalOcean Hosting https://digitalocean.com
Google Cloud Platform (GCP) Hosting https://cloud.google.com
Papertrail Log Centralisation, Intrusion Detection & Alerting https://papertrailapp.com/
MongoDB Database Hosting https://mongodb.com

If we need to add more subprocessors to the list, you will be informed ahead of time in case you have any objections.