Legal DocumentPrivacy Policy
Version 1.0·Last updated: June 2026·Effective date: June 2026
This Privacy Policy explains how Snag Scout collects, uses, stores, and protects your personal data when you use our platform. Please read this document carefully before submitting a report. By using Snag Scout, you agree to the practices described in this policy.
Section 1Who We Are
Snag Scout is an independent new-build review platform operated in the United Kingdom. We provide a structured platform through which verified buyers and owners of new-build properties can submit evidence-led reviews, with the property developer or house builder always given a free right of reply.
For the purposes of UK data protection law, Snag Scout is the data controller in respect of all personal data collected through this platform.
Data Controller contact detailsTrading name: Snag Scout
Operational region: South West England (UK soft launch)
Section 2Legal Basis for Processing
All personal data processed by Snag Scout is handled in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We process your personal data on the following lawful bases:
Contractual necessity (Article 6(1)(b))
Processing your name, email address and property details is necessary to fulfil our service — specifically to verify you are a genuine resident and publish your verified, anonymous review.
Legitimate interests (Article 6(1)(f))
We process anonymised defect data and publish it in the public registry on the basis of our legitimate interest in promoting construction transparency and consumer protection in the new-build sector.
Consent (Article 6(1)(a))
Where we process data beyond what is strictly necessary — such as retaining your email address for registry update notifications — we rely on your explicit consent obtained at the point of submission.
Legal obligation (Article 6(1)(c))
We may process and retain certain data where required to do so by applicable UK law, including in response to lawful requests from regulatory authorities or courts.
Section 3What Personal Data We Collect
We apply the principle of data minimisation — collecting only the personal data that is strictly necessary to operate the platform and publish verified, anonymous reviews.
3.1 Data collected during submission
| Data field | Purpose | Public? | Legal basis | Retention |
|---|
| Full legal name | Verifying you’re a genuine resident | No — never | Contractual necessity | 2 years |
| Email address | Confirmation & review updates | No — never | Contractual necessity / Consent | 2 years |
| Property address | Verification & Land Registry cross-check | No — never | Contractual necessity | 2 years |
| Proof document | Confirming a genuine, verified resident (defamation defence) | No — admin vault only | Legitimate interests | 5 years |
| County | Shown on your public review | Yes — county only | Legitimate interests | Permanent |
| Builder / Developer name | Attributing the review to the right builder | Yes | Legitimate interests | Permanent |
| Ratings & written review | Published in your public review | Yes | Legitimate interests | Permanent |
3.2 Technical and usage data
We may collect standard server log data including IP addresses, browser type, operating system, referring URLs, and page visit timestamps. This data is used solely for platform security monitoring and performance analysis. It is not linked to personal identity records and is retained for a maximum of 90 days.
3.3 Email capture (rankings waitlist)
If you voluntarily submit your email address via our rankings waitlist capture form, this email is stored separately from submission data and is used only to notify you when builder rankings are published. You may unsubscribe at any time by contacting us at legal@snagscout.co.uk.
Section 4Anonymisation Protocol
Every public submission is anonymised by default. Snag Scout applies a data anonymisation protocol to the public output of every review as follows:
✓Your full name and email are never published — they are held in encrypted, admin-only storage
✓The plot number or site address is stored in encrypted, admin-only storage only
✓The development name is not shown on the public record
✓The public registry entry displays the reviewer as "Verified resident, [County]" only
Important:anonymisation protects your identity on the public record. Your builder still receives the plot and snag details they need to respond and put things right, so a builder you have dealt with directly may already know who you are — what we protect is your public anonymity. One further limit: in the rare event of a valid UK court order or other lawful requirement, we may be legally compelled to disclose information we hold (see “Legal disclosures” below). We will notify you of any such request where we are permitted to do so.
Section 5How Your Data is Stored & Protected
5.1 Database architecture
Snag Scout operates a decoupled data split architecture using Supabase (a PostgreSQL-based backend-as-a-service platform). Personal data is separated across two distinct database tables with fundamentally different access controls:
reviews table (publicly readable)
Stores anonymised, aggregated defect data including county, defect category, objective summary, resolution status, and builder response. Row Level Security allows public SELECT access to this table only.
private_verifications table (hyper-secure)
Stores all Personally Identifiable Information (PII) including full legal name, email address, plot number, and proof document reference. Row Level Security is completely locked down. This table has zero client-side read or write access and can only be queried via an elevated database service_role administrative token.
5.2 Proof of purchase document storage
Proof of purchase documents are stored in a private, access-controlled storage bucket. Documents are renamed with a collision-proof unique identifier on upload. The storage bucket is completely private — no public web links are generated. Access is restricted to authenticated platform administrators only, who may generate short-lived signed URLs for the purpose of manual audit review only.
5.3 Data transit security
All data transmitted between your browser and Snag Scout's servers is encrypted in transit using Transport Layer Security (TLS). We do not transmit personal data over unencrypted connections.
5.4 Row Level Security
Supabase Row Level Security (RLS) is active on all database tables. RLS enforces database-level access policies that prevent any user, application layer, or third-party integration from accessing data records that do not belong to them — regardless of how the application layer behaves. This adds a strong, database-level safeguard that operates independently of our application code.
Section 6Who We Share Your Data With
Snag Scout does not sell, rent, or share your personal data with third parties for commercial purposes. We do not use your data for advertising. We do not use third-party advertising networks.
Your personal data may be shared in the following limited circumstances only:
Supabase (data processor)
Our database and file storage infrastructure is provided by Supabase Inc. Supabase processes data on our behalf as a data processor under a Data Processing Agreement. Supabase infrastructure is hosted in the EU. For more information see supabase.com/privacy.
Developer / builder
We never share your personal data with a builder. A builder can see the published review — which is anonymised to county level — and add a public reply. Your name, email, address, plot number and proof documents are never disclosed to a builder.
Legal or regulatory authorities
We may disclose personal data where required to do so by applicable UK law, court order, or lawful request from a regulatory authority. We will notify you of any such disclosure where we are legally permitted to do so.
Platform administrators
Authenticated Snag Scout administrators may access personal data held in the private_verifications table for the purposes of validating submissions, moderating reviews, and responding to legal or regulatory requests. Access is logged and auditable.
Section 7Your Rights Under UK GDPR
As a data subject under UK GDPR, you have the following rights in respect of your personal data. To exercise any of these rights, contact us atlegal@snagscout.co.uk. We will respond to all valid requests within 30 calendar days.
Right of access (Article 15)
You have the right to request a copy of all personal data we hold about you, including information about how it is processed, who it is shared with, and how long it is retained.
Right to rectification (Article 16)
You have the right to request correction of any inaccurate personal data we hold about you. Where personal data is incomplete, you have the right to have it completed.
Right to erasure (Article 17)
You have the right to request deletion of your personal data. We will comply unless we have a legitimate legal basis for retaining it. Note: anonymised defect records in the public registry contain no personal identifiers and therefore fall outside the scope of erasure rights.
Right to restriction of processing (Article 18)
You have the right to request that we restrict processing of your personal data in certain circumstances — for example, while the accuracy of the data is being contested.
Right to data portability (Article 20)
Where processing is based on your consent or contractual necessity and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format.
Right to object (Article 21)
You have the right to object to processing of your personal data where we rely on legitimate interests as the lawful basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent
Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
Right to lodge a complaint
You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk if you believe your personal data has been processed unlawfully. We encourage you to contact us first so we can attempt to resolve your concern directly.
Section 8Data Retention
We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law.
→Full legal name & email address:2 years from date of submission, then securely deleted
→Plot number / site address:2 years from date of submission, then securely deleted
→Proof of purchase documents:5 years from date of submission (retained for legal defence purposes), then securely deleted
→Anonymised defect summary & registry data:Retained permanently as part of the public interest registry record
→Server log / technical data:90 days, then automatically purged
→Rankings waitlist email addresses:Until unsubscription or platform closure
Section 9Cookies & Tracking Technologies
Snag Scout uses only the minimum cookies necessary to operate the platform. We do not use advertising cookies or tracking pixels. For aggregate usage statistics we use Vercel Analytics, which is privacy-friendly and cookieless — it sets no cookies and does not track you across other websites.
Session cookies
Used to maintain your form state during the submission wizard. These expire when you close your browser and contain no personal data.
Security cookies
Used to protect against cross-site request forgery (CSRF) attacks. These are strictly necessary for platform security.
Preference cookies
May be used in future to remember your display preferences. Not currently implemented.
Section 10Children's Privacy
Snag Scout is not directed at children under the age of 18 and we do not knowingly collect personal data from children. If you believe a child has submitted personal data through this platform, please contact us immediately at legal@snagscout.co.uk and we will take steps to delete the data promptly.
Section 11International Data Transfers
Snag Scout's database infrastructure is hosted by Supabase on servers located within the European Economic Area (EEA). As such, your personal data does not leave the EEA in the ordinary course of platform operations.
In the event that any data processing occurs outside the EEA or UK, we will ensure that appropriate safeguards are in place in accordance with UK GDPR Chapter V, including reliance on adequacy decisions or standard contractual clauses as appropriate.
Section 12Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, platform functionality, or applicable law. The version number and last updated date at the top of this document will always reflect the current version.
Where changes are material — for example, where we introduce a new category of data processing — we will notify active users by email where we hold a valid email address. Continued use of the platform following notification of changes constitutes acceptance of the updated policy.
Section 13Contact & Complaints
For any questions about this Privacy Policy, to exercise your data subject rights, or to raise a complaint about how we have handled your personal data, please contact us:
Response time: Within 30 calendar days
If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.