City SpotLight Logo

Privacy Policy

Our privacy policy and how we use your data

Last updated: January 13, 2026

1. Introduction and Overview

CitySpotlight Limited ("CitySpotlight", "we", "us", or "our"), a company registered in England and Wales, is committed to protecting and respecting your privacy. This Privacy Policy explains in detail how we collect, use, store, share, and protect your personal information when you visit our website at cityspotlight.com, use our mobile applications, or interact with our billboard advertising marketplace platform (collectively, the "Services").

This Privacy Policy applies to all users of our Services, including advertisers seeking billboard space, billboard owners and operators listing their inventory, marketing agencies managing campaigns on behalf of clients, and general visitors browsing our platform.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

2. Data Controller Information

For the purposes of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018, the data controller is:

  • Company Name: CitySpotlight Limited
  • Registered Address: 123 Business Street, London, EC1A 1BB, United Kingdom
  • Company Registration Number: 12345678
  • ICO Registration Number: ZA123456
  • Data Protection Officer: dpo@cityspotlight.com
  • General Enquiries: privacy@cityspotlight.com

3. Information We Collect

3.1 Information You Provide Directly

We collect information that you voluntarily provide when using our Services:

Account Registration Information

  • Full name (first name and surname)
  • Email address
  • Password (stored in encrypted format)
  • Phone number (mobile and/or landline)
  • Profile photograph (optional)
  • Account preferences and settings

Business and Professional Information

  • Company or trading name
  • Business registration number
  • VAT registration number (where applicable)
  • Business address and registered office address
  • Industry sector and business type
  • Job title and role within organization
  • Company website URL
  • Business contact details

Payment and Financial Information

  • Credit/debit card details (processed securely via Stripe)
  • Bank account details for refunds or payouts
  • Billing address
  • Transaction history and payment records
  • Invoice details and purchase orders
  • Tax identification numbers

Billboard Listing Information (for Billboard Owners)

  • Billboard location details (address, GPS coordinates)
  • Billboard specifications (dimensions, type, lighting)
  • Photographs and videos of billboard installations
  • Pricing information and availability calendars
  • Local authority permits and planning permissions
  • Insurance documentation
  • Technical specifications and installation requirements

Advertising Campaign Information (for Advertisers)

  • Campaign objectives and target demographics
  • Advertising creative assets (images, videos, designs)
  • Brand guidelines and requirements
  • Campaign schedules and duration preferences
  • Budget allocations and spending limits
  • Performance tracking preferences

Communications Data

  • Messages sent through our platform messaging system
  • Email correspondence with our team
  • Phone call recordings (where you are informed at the start of the call)
  • Live chat transcripts
  • Feedback, reviews, and testimonials
  • Survey responses
  • Support ticket contents

3.2 Information Collected Automatically

When you access or use our Services, we automatically collect certain information:

Device and Technical Information

  • IP address (IPv4 and IPv6)
  • Device type (desktop, tablet, mobile)
  • Operating system and version
  • Browser type and version
  • Screen resolution and color depth
  • Device identifiers and unique device IDs
  • Hardware model and manufacturer
  • Mobile network information
  • Language and locale settings
  • Time zone settings

Usage and Analytics Information

  • Pages and screens viewed
  • Time spent on each page
  • Navigation paths through the platform
  • Features used and interactions performed
  • Search queries entered
  • Filters and preferences applied
  • Links clicked (internal and external)
  • Downloads initiated
  • Error logs and crash reports
  • Session duration and frequency
  • Referring URLs and exit pages

Location Information

  • Approximate location derived from IP address
  • Precise GPS location (only with your explicit consent)
  • City, region, and country
  • Postal/ZIP code area

3.3 Information from Third Parties

We may receive information about you from third-party sources:

  • Identity verification services (for KYC compliance)
  • Credit reference agencies (for payment processing)
  • Social media platforms (if you link your accounts)
  • Marketing partners and advertising networks
  • Business data providers (for B2B information)
  • Public databases and registries (Companies House, etc.)
  • Analytics providers

4. How We Use Your Information

4.1 Providing and Improving Our Services

  • Creating and managing your user account
  • Processing billboard bookings and reservations
  • Facilitating communication between advertisers and billboard owners
  • Processing payments, refunds, and payouts
  • Providing customer support and responding to enquiries
  • Sending service-related notifications and updates
  • Personalizing your experience on our platform
  • Developing new features and improving existing ones
  • Conducting research and analytics to understand user behavior
  • Testing and troubleshooting our Services

4.2 Safety, Security, and Legal Compliance

  • Verifying user identities and preventing fraud
  • Detecting and preventing security threats and attacks
  • Enforcing our Terms of Service and other policies
  • Complying with legal obligations and regulatory requirements
  • Responding to legal requests from authorities
  • Protecting our rights, property, and safety
  • Protecting the rights of other users and third parties
  • Conducting internal audits and compliance checks

4.3 Marketing and Communications

  • Sending promotional emails about new features and offers (with consent)
  • Displaying targeted advertisements on our platform
  • Conducting market research and surveys
  • Analyzing campaign effectiveness and ROI
  • Creating lookalike audiences for advertising
  • Retargeting users who have shown interest in our Services

5. Legal Basis for Processing (UK GDPR / EU GDPR)

We process your personal data based on the following legal grounds:

5.1 Performance of Contract (Article 6(1)(b))

Processing necessary to fulfill our contractual obligations to you:

  • Account creation and management
  • Processing bookings and transactions
  • Payment processing
  • Customer support
  • Service delivery and fulfillment

5.2 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests, balanced against your rights:

  • Fraud prevention and security measures
  • Platform improvement and analytics
  • Business development and marketing to existing customers
  • Exercising and defending legal claims
  • Network and information security

5.3 Consent (Article 6(1)(a))

Processing based on your explicit consent:

  • Marketing communications and newsletters
  • Non-essential cookies and tracking
  • Location tracking (precise GPS)
  • Sharing data with marketing partners

5.4 Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal requirements:

  • Tax reporting and record-keeping
  • Responding to court orders and legal requests
  • Anti-money laundering (AML) compliance
  • Know Your Customer (KYC) requirements

6. Data Sharing and Disclosure

6.1 Service Providers and Processors

We share data with trusted third-party service providers who process data on our behalf:

  • Payment Processing: Stripe, Inc. (PCI-DSS compliant)
  • Cloud Hosting: Vercel
  • Database and Authentication: Supabase
  • Analytics: Google Analytics
  • Error Monitoring: Sentry
  • Maps and Location: Mapbox
  • Background Jobs: Upstash (QStash, Redis)

6.2 Business Partners

  • Billboard owners (to fulfill your booking requests)
  • Advertising agencies (when managing campaigns on your behalf)
  • Insurance providers (for coverage verification)
  • Installation and maintenance contractors

6.3 Legal and Regulatory Disclosure

We may disclose your information when required:

  • To comply with applicable laws and regulations
  • In response to valid legal process (court orders, subpoenas)
  • To protect our rights, privacy, safety, or property
  • To law enforcement agencies investigating crimes
  • To regulatory bodies and government authorities
  • In connection with legal proceedings

6.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any choices you may have regarding your data.

7. International Data Transfers

Your personal data may be transferred to, stored, and processed in countries outside the United Kingdom and European Economic Area (EEA) where our service providers operate. These countries may have different data protection laws than your country of residence.

When we transfer data internationally, we ensure appropriate safeguards:

  • Adequacy Decisions: Transfers to countries deemed adequate by the UK/EU
  • Standard Contractual Clauses (SCCs): EU-approved contractual protections
  • International Data Transfer Agreement (IDTA): UK-approved transfer mechanism
  • Binding Corporate Rules: For transfers within corporate groups
  • Certification Schemes: Such as EU-US Data Privacy Framework

You may request a copy of the safeguards we use by contacting our Data Protection Officer.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Data CategoryRetention Period
Account informationDuration of account + 2 years after closure
Transaction records7 years (UK tax requirements)
Communications3 years from last interaction
Marketing preferencesUntil consent withdrawn + 6 months
Analytics data26 months (anonymized thereafter)
Legal/compliance records10 years or as required by law
Security logs12 months

9. Your Rights Under Data Protection Law

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

9.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data. We will respond to your request within one month.

9.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed. You can update most information directly in your account settings.

9.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary or you withdraw consent. This right is not absolute and may be limited by legal obligations.

9.4 Right to Restrict Processing (Article 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or object to processing.

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

9.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

9.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects. We do not currently make such decisions.

9.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Exercising Your Rights

To exercise any of these rights, please contact us at:

  • Email: privacy@cityspotlight.com
  • Post: Data Protection Officer, CitySpotlight Ltd, 123 Business Street, London, EC1A 1BB
  • Online: Through your account settings or our contact form

We may need to verify your identity before processing your request. We will respond within one month, or inform you if an extension is required.

10. Cookies and Tracking Technologies

We use cookies, pixels, local storage, and similar technologies to collect information about your browsing activities. For comprehensive information about our use of these technologies, please refer to our separate Cookie Policy.

You can manage your cookie preferences through our cookie consent banner or your browser settings. Note that disabling certain cookies may affect the functionality of our Services.

11. Security Measures

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Access Controls: Role-based access, multi-factor authentication
  • Infrastructure: SOC 2 Type II certified cloud providers
  • Monitoring: 24/7 security monitoring and intrusion detection
  • Testing: Regular penetration testing and vulnerability assessments
  • Training: Staff data protection training and awareness programs
  • Incident Response: Documented breach response procedures
  • Backups: Encrypted, geographically distributed backups

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

12. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@cityspotlight.com. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information.

13. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, and services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through our platform.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Notify you via email (for registered users)
  • Display a prominent notice on our platform
  • Where required by law, seek your consent to the changes

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after changes are posted constitutes your acceptance of the revised policy.

15. Complaints and Supervisory Authority

If you have concerns about how we handle your personal data, please contact us first at privacy@cityspotlight.com. We will do our best to resolve your concerns.

You also have the right to lodge a complaint with a supervisory authority. In the United Kingdom, this is the Information Commissioner's Office (ICO):

  • Website: www.ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

16. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data practices:

  • Data Protection Officer: dpo@cityspotlight.com
  • Privacy Enquiries: privacy@cityspotlight.com
  • General Support: support@cityspotlight.com
  • Phone: +44 (0) 20 1234 5678
  • Post: CitySpotlight Limited, 123 Business Street, London, EC1A 1BB, United Kingdom