Privacy Policy

Last updated: January 13, 2026

1. Introduction and Overview

CitySpotlight Limited ("CitySpotlight", "we", "us", or "our"), a company registered in England and Wales, is committed to protecting and respecting your privacy. This Privacy Policy explains in detail how we collect, use, store, share, and protect your personal information when you visit our website at cityspotlight.com, use our mobile applications, or interact with our billboard advertising marketplace platform (collectively, the "Services").

This Privacy Policy applies to all users of our Services, including advertisers seeking billboard space, billboard owners and operators listing their inventory, marketing agencies managing campaigns on behalf of clients, and general visitors browsing our platform.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

2. Data Controller Information

For the purposes of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018, the data controller is:

Company Name: CitySpotlight Limited
Registered Address: 123 Business Street, London, EC1A 1BB, United Kingdom
Company Registration Number: 12345678
ICO Registration Number: ZA123456
Data Protection Officer: dpo@cityspotlight.com
General Enquiries: privacy@cityspotlight.com

3. Information We Collect

3.1 Information You Provide Directly

We collect information that you voluntarily provide when using our Services:

Account Registration Information

Full name (first name and surname)
Email address
Password (stored in encrypted format)
Phone number (mobile and/or landline)
Profile photograph (optional)
Account preferences and settings

Business and Professional Information

Company or trading name
Business registration number
VAT registration number (where applicable)
Business address and registered office address
Industry sector and business type
Job title and role within organization
Company website URL
Business contact details

Payment and Financial Information

Credit/debit card details (processed securely via Stripe)
Bank account details for refunds or payouts
Billing address
Transaction history and payment records
Invoice details and purchase orders
Tax identification numbers

Billboard Listing Information (for Billboard Owners)

Billboard location details (address, GPS coordinates)
Billboard specifications (dimensions, type, lighting)
Photographs and videos of billboard installations
Pricing information and availability calendars
Local authority permits and planning permissions
Insurance documentation
Technical specifications and installation requirements

Advertising Campaign Information (for Advertisers)

Campaign objectives and target demographics
Advertising creative assets (images, videos, designs)
Brand guidelines and requirements
Campaign schedules and duration preferences
Budget allocations and spending limits
Performance tracking preferences

Communications Data

Messages sent through our platform messaging system
Email correspondence with our team
Phone call recordings (where you are informed at the start of the call)
Live chat transcripts
Feedback, reviews, and testimonials
Survey responses
Support ticket contents

3.2 Information Collected Automatically

When you access or use our Services, we automatically collect certain information:

Device and Technical Information

IP address (IPv4 and IPv6)
Device type (desktop, tablet, mobile)
Operating system and version
Browser type and version
Screen resolution and color depth
Device identifiers and unique device IDs
Hardware model and manufacturer
Mobile network information
Language and locale settings
Time zone settings

Usage and Analytics Information

Pages and screens viewed
Time spent on each page
Navigation paths through the platform
Features used and interactions performed
Search queries entered
Filters and preferences applied
Links clicked (internal and external)
Downloads initiated
Error logs and crash reports
Session duration and frequency
Referring URLs and exit pages

Location Information

Approximate location derived from IP address
Precise GPS location (only with your explicit consent)
City, region, and country
Postal/ZIP code area

3.3 Information from Third Parties

We may receive information about you from third-party sources:

Identity verification services (for KYC compliance)
Credit reference agencies (for payment processing)
Social media platforms (if you link your accounts)
Marketing partners and advertising networks
Business data providers (for B2B information)
Public databases and registries (Companies House, etc.)
Analytics providers

4. How We Use Your Information

4.1 Providing and Improving Our Services

Creating and managing your user account
Processing billboard bookings and reservations
Facilitating communication between advertisers and billboard owners
Processing payments, refunds, and payouts
Providing customer support and responding to enquiries
Sending service-related notifications and updates
Personalizing your experience on our platform
Developing new features and improving existing ones
Conducting research and analytics to understand user behavior
Testing and troubleshooting our Services

4.2 Safety, Security, and Legal Compliance

Verifying user identities and preventing fraud
Detecting and preventing security threats and attacks
Enforcing our Terms of Service and other policies
Complying with legal obligations and regulatory requirements
Responding to legal requests from authorities
Protecting our rights, property, and safety
Protecting the rights of other users and third parties
Conducting internal audits and compliance checks

4.3 Marketing and Communications

Sending promotional emails about new features and offers (with consent)
Displaying targeted advertisements on our platform
Conducting market research and surveys
Analyzing campaign effectiveness and ROI
Creating lookalike audiences for advertising
Retargeting users who have shown interest in our Services

5. Legal Basis for Processing (UK GDPR / EU GDPR)

We process your personal data based on the following legal grounds:

5.1 Performance of Contract (Article 6(1)(b))

Processing necessary to fulfill our contractual obligations to you:

Account creation and management
Processing bookings and transactions
Payment processing
Customer support
Service delivery and fulfillment

5.2 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests, balanced against your rights:

Fraud prevention and security measures
Platform improvement and analytics
Business development and marketing to existing customers
Exercising and defending legal claims
Network and information security

5.3 Consent (Article 6(1)(a))

Processing based on your explicit consent:

Marketing communications and newsletters
Non-essential cookies and tracking
Location tracking (precise GPS)
Sharing data with marketing partners

5.4 Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal requirements:

Tax reporting and record-keeping
Responding to court orders and legal requests
Anti-money laundering (AML) compliance
Know Your Customer (KYC) requirements

6. Data Sharing and Disclosure

6.1 Service Providers and Processors

We share data with trusted third-party service providers who process data on our behalf:

Payment Processing: Stripe, Inc. (PCI-DSS compliant)
Cloud Hosting: Vercel
Database and Authentication: Supabase
Analytics: Google Analytics
Error Monitoring: Sentry
Maps and Location: Mapbox
Background Jobs: Upstash (QStash, Redis)

6.2 Business Partners

Billboard owners (to fulfill your booking requests)
Advertising agencies (when managing campaigns on your behalf)
Insurance providers (for coverage verification)
Installation and maintenance contractors

6.3 Legal and Regulatory Disclosure

We may disclose your information when required:

To comply with applicable laws and regulations
In response to valid legal process (court orders, subpoenas)
To protect our rights, privacy, safety, or property
To law enforcement agencies investigating crimes
To regulatory bodies and government authorities
In connection with legal proceedings

6.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any choices you may have regarding your data.

7. International Data Transfers

Your personal data may be transferred to, stored, and processed in countries outside the United Kingdom and European Economic Area (EEA) where our service providers operate. These countries may have different data protection laws than your country of residence.

When we transfer data internationally, we ensure appropriate safeguards:

Adequacy Decisions: Transfers to countries deemed adequate by the UK/EU
Standard Contractual Clauses (SCCs): EU-approved contractual protections
International Data Transfer Agreement (IDTA): UK-approved transfer mechanism
Binding Corporate Rules: For transfers within corporate groups
Certification Schemes: Such as EU-US Data Privacy Framework

You may request a copy of the safeguards we use by contacting our Data Protection Officer.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Data Category	Retention Period
Account information	Duration of account + 2 years after closure
Transaction records	7 years (UK tax requirements)
Communications	3 years from last interaction
Marketing preferences	Until consent withdrawn + 6 months
Analytics data	26 months (anonymized thereafter)
Legal/compliance records	10 years or as required by law
Security logs	12 months

9. Your Rights Under Data Protection Law

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

9.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data. We will respond to your request within one month.

9.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed. You can update most information directly in your account settings.

9.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary or you withdraw consent. This right is not absolute and may be limited by legal obligations.

9.4 Right to Restrict Processing (Article 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or object to processing.

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

9.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

9.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects. We do not currently make such decisions.

9.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Exercising Your Rights

To exercise any of these rights, please contact us at:

Email: privacy@cityspotlight.com
Post: Data Protection Officer, CitySpotlight Ltd, 123 Business Street, London, EC1A 1BB
Online: Through your account settings or our contact form

We may need to verify your identity before processing your request. We will respond within one month, or inform you if an extension is required.

10. Cookies and Tracking Technologies

We use cookies, pixels, local storage, and similar technologies to collect information about your browsing activities. For comprehensive information about our use of these technologies, please refer to our separate Cookie Policy.

You can manage your cookie preferences through our cookie consent banner or your browser settings. Note that disabling certain cookies may affect the functionality of our Services.

11. Security Measures

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
Access Controls: Role-based access, multi-factor authentication
Infrastructure: SOC 2 Type II certified cloud providers
Monitoring: 24/7 security monitoring and intrusion detection
Testing: Regular penetration testing and vulnerability assessments
Training: Staff data protection training and awareness programs
Incident Response: Documented breach response procedures
Backups: Encrypted, geographically distributed backups

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

12. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@cityspotlight.com. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information.

13. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, and services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through our platform.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this policy
Notify you via email (for registered users)
Display a prominent notice on our platform
Where required by law, seek your consent to the changes

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after changes are posted constitutes your acceptance of the revised policy.

15. Complaints and Supervisory Authority

If you have concerns about how we handle your personal data, please contact us first at privacy@cityspotlight.com. We will do our best to resolve your concerns.

You also have the right to lodge a complaint with a supervisory authority. In the United Kingdom, this is the Information Commissioner's Office (ICO):

Website: www.ico.org.uk
Helpline: 0303 123 1113
Address:Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

16. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data practices:

Data Protection Officer: dpo@cityspotlight.com
Privacy Enquiries: privacy@cityspotlight.com
General Support: support@cityspotlight.com
Phone: +44 (0) 20 1234 5678
Post: CitySpotlight Limited, 123 Business Street, London, EC1A 1BB, United Kingdom

Last updated: January 13, 2026

1. Introduction and Overview

2. Data Controller Information

For the purposes of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018, the data controller is:

Company Name: CitySpotlight Limited
Registered Address: 123 Business Street, London, EC1A 1BB, United Kingdom
Company Registration Number: 12345678
ICO Registration Number: ZA123456
Data Protection Officer: dpo@cityspotlight.com
General Enquiries: privacy@cityspotlight.com

3. Information We Collect

3.1 Information You Provide Directly

We collect information that you voluntarily provide when using our Services:

Account Registration Information

Full name (first name and surname)
Email address
Password (stored in encrypted format)
Phone number (mobile and/or landline)
Profile photograph (optional)
Account preferences and settings

Business and Professional Information

Company or trading name
Business registration number
VAT registration number (where applicable)
Business address and registered office address
Industry sector and business type
Job title and role within organization
Company website URL
Business contact details

Payment and Financial Information

Credit/debit card details (processed securely via Stripe)
Bank account details for refunds or payouts
Billing address
Transaction history and payment records
Invoice details and purchase orders
Tax identification numbers

Billboard Listing Information (for Billboard Owners)

Billboard location details (address, GPS coordinates)
Billboard specifications (dimensions, type, lighting)
Photographs and videos of billboard installations
Pricing information and availability calendars
Local authority permits and planning permissions
Insurance documentation
Technical specifications and installation requirements

Advertising Campaign Information (for Advertisers)

Campaign objectives and target demographics
Advertising creative assets (images, videos, designs)
Brand guidelines and requirements
Campaign schedules and duration preferences
Budget allocations and spending limits
Performance tracking preferences

Communications Data

Messages sent through our platform messaging system
Email correspondence with our team
Phone call recordings (where you are informed at the start of the call)
Live chat transcripts
Feedback, reviews, and testimonials
Survey responses
Support ticket contents

3.2 Information Collected Automatically

When you access or use our Services, we automatically collect certain information:

Device and Technical Information

IP address (IPv4 and IPv6)
Device type (desktop, tablet, mobile)
Operating system and version
Browser type and version
Screen resolution and color depth
Device identifiers and unique device IDs
Hardware model and manufacturer
Mobile network information
Language and locale settings
Time zone settings

Usage and Analytics Information

Pages and screens viewed
Time spent on each page
Navigation paths through the platform
Features used and interactions performed
Search queries entered
Filters and preferences applied
Links clicked (internal and external)
Downloads initiated
Error logs and crash reports
Session duration and frequency
Referring URLs and exit pages

Location Information

Approximate location derived from IP address
Precise GPS location (only with your explicit consent)
City, region, and country
Postal/ZIP code area

3.3 Information from Third Parties

We may receive information about you from third-party sources:

Identity verification services (for KYC compliance)
Credit reference agencies (for payment processing)
Social media platforms (if you link your accounts)
Marketing partners and advertising networks
Business data providers (for B2B information)
Public databases and registries (Companies House, etc.)
Analytics providers

4. How We Use Your Information

4.1 Providing and Improving Our Services

Creating and managing your user account
Processing billboard bookings and reservations
Facilitating communication between advertisers and billboard owners
Processing payments, refunds, and payouts
Providing customer support and responding to enquiries
Sending service-related notifications and updates
Personalizing your experience on our platform
Developing new features and improving existing ones
Conducting research and analytics to understand user behavior
Testing and troubleshooting our Services

4.2 Safety, Security, and Legal Compliance

Verifying user identities and preventing fraud
Detecting and preventing security threats and attacks
Enforcing our Terms of Service and other policies
Complying with legal obligations and regulatory requirements
Responding to legal requests from authorities
Protecting our rights, property, and safety
Protecting the rights of other users and third parties
Conducting internal audits and compliance checks

4.3 Marketing and Communications

Sending promotional emails about new features and offers (with consent)
Displaying targeted advertisements on our platform
Conducting market research and surveys
Analyzing campaign effectiveness and ROI
Creating lookalike audiences for advertising
Retargeting users who have shown interest in our Services

5. Legal Basis for Processing (UK GDPR / EU GDPR)

We process your personal data based on the following legal grounds:

5.1 Performance of Contract (Article 6(1)(b))

Processing necessary to fulfill our contractual obligations to you:

Account creation and management
Processing bookings and transactions
Payment processing
Customer support
Service delivery and fulfillment

5.2 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests, balanced against your rights:

Fraud prevention and security measures
Platform improvement and analytics
Business development and marketing to existing customers
Exercising and defending legal claims
Network and information security

5.3 Consent (Article 6(1)(a))

Processing based on your explicit consent:

Marketing communications and newsletters
Non-essential cookies and tracking
Location tracking (precise GPS)
Sharing data with marketing partners

5.4 Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal requirements:

Tax reporting and record-keeping
Responding to court orders and legal requests
Anti-money laundering (AML) compliance
Know Your Customer (KYC) requirements

6. Data Sharing and Disclosure

6.1 Service Providers and Processors

We share data with trusted third-party service providers who process data on our behalf:

Payment Processing: Stripe, Inc. (PCI-DSS compliant)
Cloud Hosting: Vercel
Database and Authentication: Supabase
Analytics: Google Analytics
Error Monitoring: Sentry
Maps and Location: Mapbox
Background Jobs: Upstash (QStash, Redis)

6.2 Business Partners

Billboard owners (to fulfill your booking requests)
Advertising agencies (when managing campaigns on your behalf)
Insurance providers (for coverage verification)
Installation and maintenance contractors

6.3 Legal and Regulatory Disclosure

We may disclose your information when required:

To comply with applicable laws and regulations
In response to valid legal process (court orders, subpoenas)
To protect our rights, privacy, safety, or property
To law enforcement agencies investigating crimes
To regulatory bodies and government authorities
In connection with legal proceedings

6.4 Business Transfers

7. International Data Transfers

When we transfer data internationally, we ensure appropriate safeguards:

Adequacy Decisions: Transfers to countries deemed adequate by the UK/EU
Standard Contractual Clauses (SCCs): EU-approved contractual protections
International Data Transfer Agreement (IDTA): UK-approved transfer mechanism
Binding Corporate Rules: For transfers within corporate groups
Certification Schemes: Such as EU-US Data Privacy Framework

You may request a copy of the safeguards we use by contacting our Data Protection Officer.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Data Category	Retention Period
Account information	Duration of account + 2 years after closure
Transaction records	7 years (UK tax requirements)
Communications	3 years from last interaction
Marketing preferences	Until consent withdrawn + 6 months
Analytics data	26 months (anonymized thereafter)
Legal/compliance records	10 years or as required by law
Security logs	12 months

9. Your Rights Under Data Protection Law

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

9.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data. We will respond to your request within one month.

9.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed. You can update most information directly in your account settings.

9.3 Right to Erasure (Article 17)

9.4 Right to Restrict Processing (Article 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or object to processing.

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

9.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

9.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects. We do not currently make such decisions.

9.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Exercising Your Rights

To exercise any of these rights, please contact us at:

Email: privacy@cityspotlight.com
Post: Data Protection Officer, CitySpotlight Ltd, 123 Business Street, London, EC1A 1BB
Online: Through your account settings or our contact form

We may need to verify your identity before processing your request. We will respond within one month, or inform you if an extension is required.

10. Cookies and Tracking Technologies

You can manage your cookie preferences through our cookie consent banner or your browser settings. Note that disabling certain cookies may affect the functionality of our Services.

11. Security Measures

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
Access Controls: Role-based access, multi-factor authentication
Infrastructure: SOC 2 Type II certified cloud providers
Monitoring: 24/7 security monitoring and intrusion detection
Testing: Regular penetration testing and vulnerability assessments
Training: Staff data protection training and awareness programs
Incident Response: Documented breach response procedures
Backups: Encrypted, geographically distributed backups

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

12. Children's Privacy

13. Third-Party Links and Services

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this policy
Notify you via email (for registered users)
Display a prominent notice on our platform
Where required by law, seek your consent to the changes

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after changes are posted constitutes your acceptance of the revised policy.

15. Complaints and Supervisory Authority

If you have concerns about how we handle your personal data, please contact us first at privacy@cityspotlight.com. We will do our best to resolve your concerns.

You also have the right to lodge a complaint with a supervisory authority. In the United Kingdom, this is the Information Commissioner's Office (ICO):

Website: www.ico.org.uk
Helpline: 0303 123 1113
Address:Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

16. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data practices:

Data Protection Officer: dpo@cityspotlight.com
Privacy Enquiries: privacy@cityspotlight.com
General Support: support@cityspotlight.com
Phone: +44 (0) 20 1234 5678
Post: CitySpotlight Limited, 123 Business Street, London, EC1A 1BB, United Kingdom

Last updated: January 13, 2026

1. Introduction and Overview

2. Data Controller Information

For the purposes of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018, the data controller is:

Company Name: CitySpotlight Limited
Registered Address: 123 Business Street, London, EC1A 1BB, United Kingdom
Company Registration Number: 12345678
ICO Registration Number: ZA123456
Data Protection Officer: dpo@cityspotlight.com
General Enquiries: privacy@cityspotlight.com

3. Information We Collect

3.1 Information You Provide Directly

We collect information that you voluntarily provide when using our Services:

Account Registration Information

Full name (first name and surname)
Email address
Password (stored in encrypted format)
Phone number (mobile and/or landline)
Profile photograph (optional)
Account preferences and settings

Business and Professional Information

Company or trading name
Business registration number
VAT registration number (where applicable)
Business address and registered office address
Industry sector and business type
Job title and role within organization
Company website URL
Business contact details

Payment and Financial Information

Credit/debit card details (processed securely via Stripe)
Bank account details for refunds or payouts
Billing address
Transaction history and payment records
Invoice details and purchase orders
Tax identification numbers

Billboard Listing Information (for Billboard Owners)

Billboard location details (address, GPS coordinates)
Billboard specifications (dimensions, type, lighting)
Photographs and videos of billboard installations
Pricing information and availability calendars
Local authority permits and planning permissions
Insurance documentation
Technical specifications and installation requirements

Advertising Campaign Information (for Advertisers)

Campaign objectives and target demographics
Advertising creative assets (images, videos, designs)
Brand guidelines and requirements
Campaign schedules and duration preferences
Budget allocations and spending limits
Performance tracking preferences

Communications Data

Messages sent through our platform messaging system
Email correspondence with our team
Phone call recordings (where you are informed at the start of the call)
Live chat transcripts
Feedback, reviews, and testimonials
Survey responses
Support ticket contents

3.2 Information Collected Automatically

When you access or use our Services, we automatically collect certain information:

Device and Technical Information

IP address (IPv4 and IPv6)
Device type (desktop, tablet, mobile)
Operating system and version
Browser type and version
Screen resolution and color depth
Device identifiers and unique device IDs
Hardware model and manufacturer
Mobile network information
Language and locale settings
Time zone settings

Usage and Analytics Information

Pages and screens viewed
Time spent on each page
Navigation paths through the platform
Features used and interactions performed
Search queries entered
Filters and preferences applied
Links clicked (internal and external)
Downloads initiated
Error logs and crash reports
Session duration and frequency
Referring URLs and exit pages

Location Information

Approximate location derived from IP address
Precise GPS location (only with your explicit consent)
City, region, and country
Postal/ZIP code area

3.3 Information from Third Parties

We may receive information about you from third-party sources:

Identity verification services (for KYC compliance)
Credit reference agencies (for payment processing)
Social media platforms (if you link your accounts)
Marketing partners and advertising networks
Business data providers (for B2B information)
Public databases and registries (Companies House, etc.)
Analytics providers

4. How We Use Your Information

4.1 Providing and Improving Our Services

Creating and managing your user account
Processing billboard bookings and reservations
Facilitating communication between advertisers and billboard owners
Processing payments, refunds, and payouts
Providing customer support and responding to enquiries
Sending service-related notifications and updates
Personalizing your experience on our platform
Developing new features and improving existing ones
Conducting research and analytics to understand user behavior
Testing and troubleshooting our Services

4.2 Safety, Security, and Legal Compliance

Verifying user identities and preventing fraud
Detecting and preventing security threats and attacks
Enforcing our Terms of Service and other policies
Complying with legal obligations and regulatory requirements
Responding to legal requests from authorities
Protecting our rights, property, and safety
Protecting the rights of other users and third parties
Conducting internal audits and compliance checks

4.3 Marketing and Communications

Sending promotional emails about new features and offers (with consent)
Displaying targeted advertisements on our platform
Conducting market research and surveys
Analyzing campaign effectiveness and ROI
Creating lookalike audiences for advertising
Retargeting users who have shown interest in our Services

5. Legal Basis for Processing (UK GDPR / EU GDPR)

We process your personal data based on the following legal grounds:

5.1 Performance of Contract (Article 6(1)(b))

Processing necessary to fulfill our contractual obligations to you:

Account creation and management
Processing bookings and transactions
Payment processing
Customer support
Service delivery and fulfillment

5.2 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests, balanced against your rights:

Fraud prevention and security measures
Platform improvement and analytics
Business development and marketing to existing customers
Exercising and defending legal claims
Network and information security

5.3 Consent (Article 6(1)(a))

Processing based on your explicit consent:

Marketing communications and newsletters
Non-essential cookies and tracking
Location tracking (precise GPS)
Sharing data with marketing partners

5.4 Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal requirements:

Tax reporting and record-keeping
Responding to court orders and legal requests
Anti-money laundering (AML) compliance
Know Your Customer (KYC) requirements

6. Data Sharing and Disclosure

6.1 Service Providers and Processors

We share data with trusted third-party service providers who process data on our behalf:

Payment Processing: Stripe, Inc. (PCI-DSS compliant)
Cloud Hosting: Vercel
Database and Authentication: Supabase
Analytics: Google Analytics
Error Monitoring: Sentry
Maps and Location: Mapbox
Background Jobs: Upstash (QStash, Redis)

6.2 Business Partners

Billboard owners (to fulfill your booking requests)
Advertising agencies (when managing campaigns on your behalf)
Insurance providers (for coverage verification)
Installation and maintenance contractors

6.3 Legal and Regulatory Disclosure

We may disclose your information when required:

To comply with applicable laws and regulations
In response to valid legal process (court orders, subpoenas)
To protect our rights, privacy, safety, or property
To law enforcement agencies investigating crimes
To regulatory bodies and government authorities
In connection with legal proceedings

6.4 Business Transfers

7. International Data Transfers

When we transfer data internationally, we ensure appropriate safeguards:

Adequacy Decisions: Transfers to countries deemed adequate by the UK/EU
Standard Contractual Clauses (SCCs): EU-approved contractual protections
International Data Transfer Agreement (IDTA): UK-approved transfer mechanism
Binding Corporate Rules: For transfers within corporate groups
Certification Schemes: Such as EU-US Data Privacy Framework

You may request a copy of the safeguards we use by contacting our Data Protection Officer.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Data Category	Retention Period
Account information	Duration of account + 2 years after closure
Transaction records	7 years (UK tax requirements)
Communications	3 years from last interaction
Marketing preferences	Until consent withdrawn + 6 months
Analytics data	26 months (anonymized thereafter)
Legal/compliance records	10 years or as required by law
Security logs	12 months

9. Your Rights Under Data Protection Law

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

9.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data. We will respond to your request within one month.

9.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed. You can update most information directly in your account settings.

9.3 Right to Erasure (Article 17)

9.4 Right to Restrict Processing (Article 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or object to processing.

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

9.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

9.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects. We do not currently make such decisions.

9.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Exercising Your Rights

To exercise any of these rights, please contact us at:

Email: privacy@cityspotlight.com
Post: Data Protection Officer, CitySpotlight Ltd, 123 Business Street, London, EC1A 1BB
Online: Through your account settings or our contact form

We may need to verify your identity before processing your request. We will respond within one month, or inform you if an extension is required.

10. Cookies and Tracking Technologies

You can manage your cookie preferences through our cookie consent banner or your browser settings. Note that disabling certain cookies may affect the functionality of our Services.

11. Security Measures

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
Access Controls: Role-based access, multi-factor authentication
Infrastructure: SOC 2 Type II certified cloud providers
Monitoring: 24/7 security monitoring and intrusion detection
Testing: Regular penetration testing and vulnerability assessments
Training: Staff data protection training and awareness programs
Incident Response: Documented breach response procedures
Backups: Encrypted, geographically distributed backups

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

12. Children's Privacy

13. Third-Party Links and Services

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this policy
Notify you via email (for registered users)
Display a prominent notice on our platform
Where required by law, seek your consent to the changes

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after changes are posted constitutes your acceptance of the revised policy.

15. Complaints and Supervisory Authority

If you have concerns about how we handle your personal data, please contact us first at privacy@cityspotlight.com. We will do our best to resolve your concerns.

You also have the right to lodge a complaint with a supervisory authority. In the United Kingdom, this is the Information Commissioner's Office (ICO):

Website: www.ico.org.uk
Helpline: 0303 123 1113
Address:Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

16. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data practices:

Data Protection Officer: dpo@cityspotlight.com
Privacy Enquiries: privacy@cityspotlight.com
General Support: support@cityspotlight.com
Phone: +44 (0) 20 1234 5678
Post: CitySpotlight Limited, 123 Business Street, London, EC1A 1BB, United Kingdom

Privacy Policy

Our privacy policy and how we use your data

1. Introduction and Overview

2. Data Controller Information

3. Information We Collect

3.1 Information You Provide Directly

Account Registration Information

Business and Professional Information

Payment and Financial Information

Billboard Listing Information (for Billboard Owners)

Advertising Campaign Information (for Advertisers)

Communications Data

3.2 Information Collected Automatically

Device and Technical Information

Usage and Analytics Information

Location Information

3.3 Information from Third Parties

4. How We Use Your Information

4.1 Providing and Improving Our Services

4.2 Safety, Security, and Legal Compliance

4.3 Marketing and Communications

5. Legal Basis for Processing (UK GDPR / EU GDPR)

5.1 Performance of Contract (Article 6(1)(b))

5.2 Legitimate Interests (Article 6(1)(f))

5.3 Consent (Article 6(1)(a))

5.4 Legal Obligation (Article 6(1)(c))

6. Data Sharing and Disclosure

6.1 Service Providers and Processors

6.2 Business Partners

6.3 Legal and Regulatory Disclosure

6.4 Business Transfers

7. International Data Transfers

8. Data Retention

9. Your Rights Under Data Protection Law

9.1 Right of Access (Article 15)

9.2 Right to Rectification (Article 16)

9.3 Right to Erasure (Article 17)

9.4 Right to Restrict Processing (Article 18)

9.5 Right to Data Portability (Article 20)

9.6 Right to Object (Article 21)

9.7 Rights Related to Automated Decision-Making (Article 22)

9.8 Right to Withdraw Consent

Exercising Your Rights

10. Cookies and Tracking Technologies

11. Security Measures

12. Children's Privacy

13. Third-Party Links and Services

14. Changes to This Privacy Policy

15. Complaints and Supervisory Authority

16. Contact Information

Privacy Policy

Our privacy policy and how we use your data

1. Introduction and Overview

2. Data Controller Information

3. Information We Collect

3.1 Information You Provide Directly

Account Registration Information

Business and Professional Information

Payment and Financial Information

Billboard Listing Information (for Billboard Owners)

Advertising Campaign Information (for Advertisers)

Communications Data

3.2 Information Collected Automatically

Device and Technical Information

Usage and Analytics Information

Location Information

3.3 Information from Third Parties

4. How We Use Your Information

4.1 Providing and Improving Our Services

4.2 Safety, Security, and Legal Compliance

4.3 Marketing and Communications

5. Legal Basis for Processing (UK GDPR / EU GDPR)

5.1 Performance of Contract (Article 6(1)(b))

5.2 Legitimate Interests (Article 6(1)(f))

5.3 Consent (Article 6(1)(a))

5.4 Legal Obligation (Article 6(1)(c))

6. Data Sharing and Disclosure

6.1 Service Providers and Processors

6.2 Business Partners

6.3 Legal and Regulatory Disclosure