Privacy Policy

Last updated: 7th July 2026

1. Introduction

This privacy policy explains how Plota ("we", "us", or "our") collects, uses, and protects your personal information when you use our service at plota.co.uk. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR).

2. Who We Are

Service: Plota - UK planning application search, alerts, and data (free public search and alerts, with an optional paid API)
Purpose: A UK planning application search engine - search, maps, alerts, application tracking, classified application types, historical records back to 2016, and a developer API - helping people and businesses find, monitor, and analyse planning activity across the UK
Contact: privacy@plota.co.uk

3. What Information We Collect

Information you provide:

  • Email address: Required to send you planning alert emails
  • Area preferences: The location data you give us when setting up an alert. This may be a postcode + radius, a town, a council, a custom drawn area on the map, an H3 hex grid selection, or a nation-wide alert with a planning-category filter
  • Schedule preferences: Whether you want daily, weekly, or fortnightly digests; the day of the week and time of day you want them delivered
  • Alert names and labels: Optional human-readable names you assign to your saved alerts
  • Filter preferences: Any application-type filter you apply to an alert (e.g. "new homes only"); whether you've opted to exclude tree applications
  • Tracked applications: The individual planning applications you choose to track, and whether you want notifications about status changes, decisions, or new documents
  • API account information: If you request API access, we collect your email address and may collect your name, company, intended plan, expected usage, and a description of what you are building. We also store the information needed to manage your API key, usage limits, and any webhooks you configure
  • Account password (optional): If you choose to set a password for your dashboard instead of signing in with an email link, we store it securely

Information we collect automatically to operate the service:

  • IP addresses: Logged for security and abuse prevention
  • Alert lifecycle timestamps: When you subscribed, confirmed your email, last visited your My areas dashboard, last received an alert, and when each alert is scheduled to next fire
  • Alert delivery history: Records of which planning applications we've sent you, used to prevent duplicate notifications
  • Alert health status: A derived status flag (healthy / paused / portal-unavailable) per alert so we can surface issues in your dashboard
  • Session token: A signed token, stored in your browser, that lets you access your My areas dashboard without a password
  • API usage: If you use the API, we record request times, endpoints, response status, and IP address to apply usage limits, investigate errors, and prevent abuse

Planning application information (from public registers):

Separately from the personal information above, Plota collects a wide range of publicly available planning application information from council planning registers and makes it searchable, including:

  • Address, map location / coordinates, and a link to the official council record
  • Reference number, application type, and the description / proposal
  • Status, decision, decision dates, and decision level
  • Key dates such as received, validated, and target/determination dates, and consultation, committee, or press dates where published
  • Ward, parish, and case officer
  • Applicant and agent names, and the agent's company where given
  • Appeal status and outcome, where applicable
  • Documents listed on the application - their titles, types, publication dates, and links to the files on the council's own website

We use this information to provide planning search, maps, alerts, and API services. Plota also holds over 10 million historical planning records dating back to 2016, which we keep searchable alongside current applications. In addition to keyword search, we categorise applications by type (for example new homes, extensions, or telecoms) using our own classification system, so you can filter and set alerts by category. Where a field names a private individual (for example an applicant), we mask it on public pages so it is not indexed by search engines. If you believe information displayed by Plota is incorrect, contact us and we will check it against the council source.

Information we do NOT collect:

  • We do not require your name, phone number, or any other personal details to use planning search and alerts
  • We do not track your precise location - only the postcode or area you tell us
  • We do not currently collect payment card details through the public Plota search and alerts service

4. How We Use Your Information

We use your information to provide the Plota features you request, including planning alerts, saved areas, application tracking, dashboards, smart search, API access, exports, and webhooks. In particular:

  1. Alerts: To send you email alerts about new planning applications in your chosen area, and to keep them relevant and free of duplicates
  2. My Areas dashboard: To run your My Areas dashboard - accessed by an email sign-in link or an optional password - where you manage saved areas and tracked applications
  3. Application tracking: To monitor the planning applications you track and send the notifications you have requested (status changes, decisions, or new documents)
  4. API access: To create and administer your API account, apply usage limits, and deliver data to any webhook you configure
  5. Exports: To let you download the planning applications you're viewing or matching as a CSV file
  6. Security: To log IP addresses and prevent abuse of our service
  7. Communication: To send confirmation and account emails related to the features you use

Smart search: When you use smart search, your plain-English query is processed using a large language model (our AI provider, Anthropic) purely to translate it into Plota's own search filters. The AI is used only to interpret your query - it is not used to search, read, or analyse our planning data, which is handled entirely by Plota's own systems. We do not use smart-search queries for marketing.

API: The API returns planning application data only - it never exposes other users' alerts, tracked applications, or account details. Through the API dashboard you can create and revoke keys, monitor your own usage, configure webhooks, and close your account at any time. We apply per-key rate limits and monitor for abuse to keep the API reliable and secure for everyone.

We will NEVER:

  • Send you marketing emails or promotional content
  • Sell or rent your email address, or share it with third parties for their own marketing
  • Send you emails unrelated to the Plota features you use

5. Legal Basis for Processing

  • Consent (Article 6(1)(a) UK GDPR): When you subscribe, you provide explicit consent for us to send you email alerts. You can withdraw consent at any time by unsubscribing.
  • Legitimate interest (Article 6(1)(f) UK GDPR): We have a legitimate interest in logging IP addresses for security and fraud prevention.

6. How We Share Your Information

Email service providers (Resend and Brevo):

We use Resend and Brevo (formerly Sendinblue) to send confirmation, alert, and account emails. Your email address is shared with these providers for email delivery. See the Resend privacy policy and the Brevo privacy policy.

AI provider (Anthropic):

When you use smart search, only your search query is sent to Anthropic so a large language model can translate it into Plota's search filters. We do not send our planning data or your account information to Anthropic. See the Anthropic privacy policy.

Geocoding and address lookup:

To turn the places you search for into map locations and to power search suggestions, we use third-party geocoding and address-lookup services, including OpenStreetMap Nominatim, postcodes.io, and Google Maps. Only the place, postcode, or address you search is sent to these services - never your alerts, tracked applications, or account details.

Hosting provider (DigitalOcean):

Our service is hosted on DigitalOcean's London data centre. Your data is stored securely on servers in the United Kingdom.

Content delivery & security (Cloudflare):

Our site is served through Cloudflare, which processes visitors' IP addresses and request data to provide caching, DDoS protection, and bot/abuse filtering, and may set an essential security cookie for this purpose.

Webhooks and external integrations you configure:

If you configure a webhook or external integration through the API, we send the requested planning data to the destination URL you provide. You are responsible for that external service and how it uses the data.

Planning data sources:

We monitor publicly available council planning portals. We do not share any of your personal information with councils.

We do NOT:

  • Share your data with advertisers or marketing companies
  • Sell your personal information to anyone

7. Data Retention

We keep information for as long as you use the relevant Plota feature, and we distinguish between the different products associated with your email address:

Alerts:

  • Your email, area preferences, and the alert history needed to prevent duplicate notifications are stored while the alert is active
  • When you delete an alert, we delete the information associated with that alert. Removing one alert does not automatically delete your other alerts, tracked applications, or an API account linked to the same email address

Tracked applications:

  • When you remove a tracked application, we delete the record of you tracking it (and stop any notifications for it). The application's public planning data remains available in Plota's search as it comes from the council register

API accounts:

  • When you close an API account, we deactivate the associated keys and delete the account details. We may retain limited API request logs for up to 14 days for security and abuse prevention before they are removed

Operational and technical data:

  • IP addresses and server logs: kept for up to 90 days for security and abuse prevention, then deleted
  • Smart-search queries: not stored beyond running your search, aside from short-term logs kept for up to 30 days for abuse prevention and to improve search
  • Session / sign-in tokens: retained while your account is active and expire after around 12 months of inactivity, after which you simply re-verify by email
  • Records held by our providers (for example email delivery logs at Resend or Brevo, or security logs at Cloudflare) are kept according to each provider's own retention policy, which we do not control

You can contact us at any time to request deletion of all personal information associated with your email address.

8. Your Rights (UK GDPR)

Right to access:

You can request a copy of the personal information we hold about you by emailing privacy@plota.co.uk.

Right to rectification:

You can update your preferences via the manage link in any alert email, or unsubscribe and re-subscribe with correct details.

Right to erasure:

Click the unsubscribe link in any alert email to remove that alert, or email us to request deletion of all personal information associated with your email address (including any alerts, tracked applications, and API account).

Right to withdraw consent:

Unsubscribe at any time via the link in any email. This stops future alert emails for that alert.

Right to data portability:

Request a copy of your subscription data in JSON format by emailing privacy@plota.co.uk.

9. How to Unsubscribe

Every alert email includes an unsubscribe link. Click the link and confirm on the unsubscribe page to remove that alert and its associated data. You can also email privacy@plota.co.uk to request removal of a specific product or of all personal information associated with your email address.

10. Data Security

  • Encrypted connections: All communication uses HTTPS/TLS
  • Secure storage: Data stored in a secure database with restricted access
  • Rate limiting: We implement rate limits to prevent spam and abuse
  • Regular updates: Our servers and software are regularly updated

11. Cookies and Tracking

Our website uses minimal tracking. We do not use advertising cookies, tracking pixels, or cross-site tracking. We may use essential cookies for basic functionality, including an essential security cookie set by Cloudflare (__cf_bm) for bot and abuse protection.

12. International Data Transfers

Where we can, your data stays in the UK or EEA:

  • Database hosting: DigitalOcean, London data centre - stored in the UK
  • Email delivery: Brevo, based in the EU

Some providers are based outside the UK/EEA (mainly the US), so using them involves transferring personal data internationally:

  • Email delivery: Resend (US)
  • Smart search: Anthropic (US) - receives only your search query
  • Content delivery & security: Cloudflare (US, global edge network) - handles IP/request data
  • Geocoding: Google Maps (US); OpenStreetMap Nominatim and postcodes.io are UK/EU-based

For those US transfers, we rely on each provider's data processing terms, which incorporate the UK International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses) and, where the provider is certified, the UK extension to the EU-US Data Privacy Framework. These are the specific safeguards UK GDPR requires for sending personal data outside the UK.

13. Changes to This Policy

We may update this policy from time to time. The "last updated" date will be revised. Significant changes will be communicated to subscribers via email.

14. Contact Us

We aim to respond to all enquiries within 7 working days.


In plain English:

  • We collect your email address, the areas + categories you want to be alerted about, applications you track, any API account details, and the operational data needed to run those features
  • We use your data to provide the Plota features you request - planning alerts, saved areas, application tracking, dashboards, smart search, and API access - no marketing, no spam
  • Smart search sends your query to our AI provider (Anthropic) to turn it into search filters
  • You can unsubscribe from any alert via the link in any email, or email us to delete everything tied to your address
  • We use Resend and Brevo to send emails, Anthropic for smart search, and DigitalOcean (London) to host the service
  • We never sell your data or share it with advertisers