Outlined in this document is a concise overview of how modern data protection law (namely, GDPR) relates specifically to Ideal Postcodes as your data processor (or subprocessor).
The exact details can be found in the Terms of Service (Part 2: Data Protection)
What changed after May 25th 2018
We have updated our Terms of Service to incorporate a Data Protection section which will provide you contractual assurance that we uphold the requirements of GDPR.
The CSV Export API (
/keys/:key/lookups) will have reduced functionality. We will not return IP address or address query data which is older than 28 days (as these data points will be irreversibly redacted). By June 2018, any personal data older than 28 days will be redacted. Furthermore, you may also opt to discard this data altogether.
What personal data do we process and why
Our aim is to collect as little information (personal or otherwise) through you as possible, while providing a service that is secure, reliable, fast and accurate as reasonably possible.
This means we will only collect information about you if it is required to:
- Provide you access to our services
- Secure our services from malicious activity
- Measure the performance of our services (i.e. speed, reliability and accuracy) with a view to implementing improvements
As such, we currently only intercept the following datapoints:
- Address Queries
- Browsing Data (for client side integrations only)
- Sublicensee Data (for users of our Sublicensing Platform)
1. Address Queries
We store addressing query strings both in our server logs and for your retrieval via the
This data is required in the short term reasons to perform our role in validating and cleansing addresses.
We keep this data for up to 28 days. This allows us to diagnose performance issues (i.e. slow running queries) and provide us with actionable data to improve our service. It is also a useful resource for clients integrating against the API or diagnosing buggy integrations.
2. Browsing Data
Browser Data is information included in HTTP requests sent to our APIs. This includes IP address as well as HTTP headers (language, user-agent, origin and refer(r)er being the most salient). Typically this data is stored in the form of server logs.
We only intercept this in the form of personal data if you have developed a client side integration. If you have a server or proxied integration, it is likely we capture no client Browsing Data.
Browsing data is collected short term for rate limiting and whitelisting purposes.
We also store this information for up to 28 days. We use it to analyse any suspicious activity and troubleshoot any issues. There are also a significant ad-hoc instances where being able to query over recent server logs has been immensely useful for clients with specific support requests.
3. Sublicensee Name and Address
For users of the Sublicensing Platform, we also need to store the names and addresses of sublicensed organisations and submit these to Royal Mail.
We are contractually required to preserve this information for 6 years.
Who are our subprocessors?
Some or all of the personal data we process will pass through a subprocessor based in the United Kingdom or European Union. These are outlined below:
|Amazon Web Services Inc||Hosting||https://aws.amazon.com||UK / EU|
|DigitalOcean LLC||Hosting||https://digitalocean.com||UK / EU|
|Google Ireland Limited (Google Cloud Platform)||Hosting||https://cloud.google.com||UK / EU|
|MongoDB Inc||Database Monitoring||https://mongodb.com||EU|
If we need to add more subprocessors to the list, you will be informed ahead of time in case you have any objections.