Privacy Policy
Last updated: 2026-03-01
This Privacy Policy explains how [NORTHROCK LEGAL ENTITY NAME] (“Northrock”, “we”, “us”, “our”) collects, uses, stores, and shares personal data when you use the Northrock platform (“Service”) and when you visit our website at northrockhq.com.
We are the data controller for personal data we collect directly from you (e.g. your account information). When you input your clients’ personal data into the Service, you are the data controller for that data and we act as your data processor. See our Terms of Service for the full Data Processing Agreement.
1. Information We Collect
Information you provide directly
- Account information: Name, email address, phone number, business name, business address, profile image
- Billing information: Payment method details are collected and processed by Stripe; we do not store your full card details
- Content you create: Trips, itineraries, client records, supplier records, policies, destination guides, financial data, uploaded images, and any other content you input into the Service
Information we collect automatically
- Usage data: Pages visited, features used, actions taken within the Service, timestamps, session duration
- Device and browser information: IP address, browser type and version, operating system, device type, screen resolution
- Cookies and similar technologies: See Section 7 below
Information from third parties
- Clerk: Authentication data (used to manage your login)
- Stripe: Subscription status and billing events (not full card details)
- Google Places API: Location and mapping data for itinerary services (not personal data about you)
2. How We Use Your Information
We use your information for the following purposes:
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Providing and operating the Service | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| Sending essential service communications (account confirmations, billing notices, security alerts) | Performance of contract (Art. 6(1)(b)) |
| Improving and developing the Service | Legitimate interest (Art. 6(1)(f)) |
| Analysing usage patterns and performance | Legitimate interest (Art. 6(1)(f)) |
| Responding to support requests | Performance of contract (Art. 6(1)(b)) |
| Preventing fraud and ensuring security | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Sending marketing communications (only with your consent) | Consent (Art. 6(1)(a)) |
3. Your Clients’ Data
When you use the Service to manage information about your clients (travellers), supplier contacts, and other individuals, you are the data controller for that personal data. This includes names, email addresses, phone numbers, dates of birth, passport numbers, nationality, and travel preferences.
Your responsibilities as controller
- You must have a lawful basis to collect and process your clients’ personal data
- You must inform your clients about how their data is processed (including that you use Northrock as a service provider)
- You must respond to any data subject access requests from your clients
- You must not input special category data (health information, religious beliefs, etc.) into the Service unless you have a valid lawful basis
Our responsibilities as processor
- We process your clients’ data solely to provide the Service to you
- We do not access, use, sell, or share your clients’ data for our own purposes
- We implement appropriate security measures to protect the data
- We assist you in responding to data subject requests where needed
Full details of our processing obligations are set out in the Data Processing Agreement within our Terms of Service.
4. Who We Share Data With
We do not sell your personal data to anyone.
We share personal data only with the following categories of recipients, and only to the extent necessary:
| Recipient | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting | United States |
| Stripe Inc. | Payment processing | United States |
| Clerk Inc. | Authentication | United States |
| Supabase Inc. | Database hosting | US East (North Virginia) |
| Anthropic PBC | AI features (content generation, validation) | United States |
| Pixabay / Canva GmbH | Stock imagery | Germany / Australia |
| Google LLC | Maps and location data | United States |
We may also share data:
- When required by law, regulation, or legal process
- To protect the rights, property, or safety of Northrock, our users, or others
- In connection with a merger, acquisition, or sale of business assets (we will notify you in advance)
5. International Transfers
Some of our service providers are based outside the UK, primarily in the United States. When personal data is transferred outside the UK to a country without a UK adequacy decision, we ensure appropriate safeguards are in place, such as:
- The UK International Data Transfer Agreement (IDTA)
- EU Standard Contractual Clauses with the UK Addendum
6. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Duration of your account, plus 30 days after deletion |
| Billing records | 7 years after the transaction (as required by UK tax law) |
| Your Content (trips, itineraries, client data) | Duration of your account, plus 30 days after termination. You may request export before deletion. |
| Published itineraries | Taken offline within 30 days of account termination |
| Usage and analytics data | 24 months, then anonymised or deleted |
| Support correspondence | 24 months after resolution |
7. Cookies
We use cookies and similar technologies on northrockhq.com and within the Service.
| Cookie type | Purpose | Required? |
|---|---|---|
| Strictly necessary | Authentication, security, core platform functionality | Yes — the Service cannot function without these |
| Analytics | Understanding how the Service is used, identifying issues, improving performance | Optional — you can opt out |
We do not use advertising or tracking cookies. We do not serve ads.
When you first visit our website, we will ask for your consent before setting any non-essential cookies. You can change your cookie preferences at any time through the cookie settings on our website.
For full details, see our Cookie Policy.
8. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Rectification: Ask us to correct inaccurate or incomplete data
- Erasure: Ask us to delete your personal data (subject to legal retention requirements)
- Restriction: Ask us to restrict processing of your data in certain circumstances
- Portability: Request your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interest
- Withdraw consent: Where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at hello@northrockhq.com. We will respond within one month.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
9. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS) and at rest
- Access controls and authentication via Clerk
- Regular security reviews
- Secure cloud infrastructure via Vercel and Supabase
No system is completely secure. We cannot guarantee absolute security, but we take reasonable steps to protect your data.
10. Children
The Service is not intended for use by anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The “Last updated” date at the top of this page indicates when the policy was last revised.
12. Contact
If you have questions about this Privacy Policy or how we handle your data, contact us at:
Data Controller: [NORTHROCK LEGAL ENTITY NAME]
Email: hello@northrockhq.com
Address: [ADDRESS]