Privacy Policy
Last updated: April 2026
1. Introduction
This Privacy Policy explains how REDWELL (UK) LIMITED (“we”, “us”, “our”), a company registered in England and Wales under company number 06342877, with its registered office at The Old Police Station, West Square, Maldon, Essex, England, CM9 5AL, collects, uses, stores and shares your personal data when you use CurbScore at curb-score.com (“the Service”).
We are committed to protecting your privacy and handling your personal data in an open and transparent manner, in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and applicable US state privacy laws including the California Consumer Privacy Act (“CCPA”).
By using the Service you acknowledge that you have read and understood this Privacy Policy. If you do not agree with how we handle your data, please do not use the Service.
2. What Data We Collect
2a. Data you provide directly
When you use the Service, you may provide:
- Business name and city — used to search for and identify your business on Google.
- Email address — used to deliver your report, manage your account, and send service-related communications.
- Payment information — processed directly by Stripe. We do not store or have access to full card details at any point.
2b. Data collected automatically
When you visit curb-score.com, our hosting infrastructure (Vercel) may automatically collect standard server log data including:
- IP address and approximate geographic location
- Browser type and version
- Pages visited and time spent on each page
- Referring website
- Date and time of access
We use a session cookie (consent) to remember whether you have accepted our cookie policy, and Supabase authentication cookies to keep you signed in to your account. No third-party advertising or tracking cookies are set.
2c. Data retrieved from third parties
To generate your audit report, we retrieve publicly available information about your business from the Google Places API. This may include your business name, address, phone number, website, opening hours, customer ratings, review count, photos, and business category. This data is publicly visible on Google Maps and Google Search. We do not store this data beyond the duration of your session or audit generation.
2d. Data generated by the Service
We generate and store an AI-produced audit report containing scores, grades, and recommendations for your business. This report is associated with your email address and stored in our database to enable account access and the monthly monitoring feature.
3. How We Use Your Data
We process your personal data for the following purposes and on the following legal bases under UK GDPR:
| Purpose | Legal basis |
|---|---|
| Delivering your audit report after payment | Performance of contract |
| Processing payment via Stripe | Performance of contract |
| Sending your report by email | Performance of contract |
| Managing your account and login | Performance of contract |
| Monthly re-audits and score-change alerts (subscription) | Performance of contract |
| Sending transactional service emails (e.g. report delivery) | Performance of contract |
| Maintaining security and preventing fraud | Legitimate interests |
| Improving the Service through usage analysis | Legitimate interests |
| Complying with legal obligations | Legal obligation |
| Marketing emails (only if you have opted in) | Consent |
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
4. Who We Share Your Data With
We share your data only with the third-party service providers necessary to operate the Service. We do not sell your personal data to any third party.
Stripe — Payment processing
Stripe processes your payment card data on our behalf. We receive a customer ID and transaction confirmation only — we never see or store your full card details. Stripe is PCI-DSS Level 1 certified.
Stripe Privacy Policy →Supabase — Database and authentication
Supabase stores your email address, business audit history, and subscription status. It also handles passwordless sign-in (magic links). Supabase infrastructure is hosted in the EU.
Supabase Privacy Policy →Resend — Transactional email delivery
Resend delivers your audit report email and any service notifications. Your email address and the content of your report are transmitted to Resend for this purpose.
Resend Privacy Policy →Google Places API — Business data retrieval
We send your business name and city to the Google Places API to retrieve publicly available information about your business. Google processes this query in accordance with its own privacy policy.
Google Places API Privacy Policy →Anthropic — AI report generation
Your business name, city, and the public data retrieved from Google are sent to Anthropic's Claude API to generate your audit report. We do not send your email address or payment details to Anthropic.
Anthropic Privacy Policy →Vercel — Hosting and infrastructure
The Service is hosted on Vercel's platform. Vercel may process standard server log data including IP addresses as part of hosting the application.
Vercel Privacy Policy →We may also disclose your personal data where required by law, court order, or lawful request by a regulatory authority, or to protect the rights, property, or safety of REDWELL (UK) LIMITED, our users, or the public.
5. International Data Transfers
Some of our third-party service providers are based in the United States. When your personal data is transferred to the US, we ensure that appropriate safeguards are in place in accordance with UK GDPR requirements. These safeguards typically include:
- Standard Contractual Clauses (“SCCs”) approved by the UK Information Commissioner's Office (“ICO”)
- Adequacy decisions where applicable
- The provider's participation in the UK-US Data Bridge framework where relevant
By using the Service, you acknowledge that your data may be transferred to and processed in the United States and other countries outside the UK and EEA. You can request details of the specific safeguards we rely on for any given transfer by contacting us at support@curb-score.com.
6. Data Retention
We retain your personal data for as long as necessary to provide the Service and fulfil the purposes described in this policy, subject to any legal obligations to retain data for longer periods.
- Email address and account data — retained for the duration of your account and for up to 2 years after your last interaction with the Service.
- Audit report data — retained for the duration of your account to enable report access and history.
- Payment records — retained for 7 years to comply with UK financial record-keeping obligations.
- Server log data — typically retained for up to 90 days by our hosting provider.
You may request deletion of your personal data at any time by contacting us at support@curb-score.com. We will fulfil such requests within 30 days, subject to any legal obligation to retain specific records.
7. Cookies and Tracking
CurbScore uses a minimal set of cookies strictly necessary to operate the Service. We do not use third-party advertising cookies, cross-site tracking, or behavioural profiling.
| Cookie name | Purpose | Expiry |
|---|---|---|
| consent | Records your cookie consent preference | 365 days |
| sb-* (Supabase) | Keeps you signed in to your account | Session / 1 year |
You can disable cookies in your browser settings; however, doing so may prevent you from signing in to your account or accessing certain features of the Service.
8. Your Rights Under UK GDPR
If you are located in the UK or European Economic Area, you have the following rights in respect of your personal data:
- ✓
Right of access
You may request a copy of the personal data we hold about you.
- ✓
Right to rectification
You may request that we correct any inaccurate or incomplete personal data we hold.
- ✓
Right to erasure
You may request that we delete your personal data where there is no compelling reason for us to continue processing it.
- ✓
Right to restriction of processing
You may ask us to restrict processing of your data in certain circumstances, for example while a correction request is being assessed.
- ✓
Right to data portability
You may request a copy of certain personal data in a structured, commonly used, machine-readable format.
- ✓
Right to object
You may object to our processing of your data where we rely on legitimate interests as our legal basis, unless we can demonstrate compelling legitimate grounds.
- ✓
Rights related to automated decision-making
You have the right not to be subject to a decision based solely on automated processing that produces significant legal or similarly significant effects. We do not currently make such decisions.
To exercise any of these rights, please contact us at support@curb-score.com. We will respond within 30 days. We may need to verify your identity before fulfilling your request.
You also have the right to lodge a complaint with the UK's data protection supervisory authority, the Information Commissioner's Office (“ICO”), at ico.org.uk or by calling 0303 123 1113.
9. Rights of US Residents (CCPA)
If you are a resident of California, you have additional rights under the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”):
- Right to know — You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, and the purposes for which it is used.
- Right to delete — You may request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to correct — You may request correction of inaccurate personal information.
- Right to opt out of sale or sharing — We do not sell or share your personal information for cross-context behavioural advertising.
- Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA rights.
Residents of other US states with applicable privacy laws (including Virginia, Colorado, Connecticut, Utah, and Texas) may have similar rights. We will honour requests from residents of these states on a best-efforts basis consistent with applicable law.
To exercise your US privacy rights, please contact us at support@curb-score.com. We will respond within 45 days as required by the CCPA.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These measures include:
- All data transmitted between your browser and our servers is encrypted in transit using TLS.
- Passwords are never stored — authentication uses magic links sent to your email address.
- Database access is restricted by row-level security policies (Supabase RLS).
- Payment data is handled entirely by Stripe and is never processed or stored on our servers.
- API keys and secrets are stored as environment variables and are never exposed in client-side code.
Despite these measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your data. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR.
11. Children's Privacy
The Service is intended for use by business owners and adults aged 18 and over. We do not knowingly collect personal data from children under the age of 13 (or under 16 in the UK, where applicable). If you believe we have inadvertently collected data from a child, please contact us at support@curb-score.com and we will promptly delete it.
12. Affiliate Links
The Resources section of the Service (curb-score.com/resources) and within audit reports contains links to third-party tools and services. Some of these links are affiliate links, meaning we may earn a commission if you click through and make a purchase or sign up, at no additional cost to you.
Affiliate links are clearly disclosed wherever they appear. The inclusion of a tool in our resources is based on our genuine belief that it may be useful to small businesses; our recommendations are not influenced by whether or not an affiliate relationship exists.
When you click an affiliate link, the third-party website may set its own cookies and collect data in accordance with its own privacy policy. We have no control over and accept no responsibility for the privacy practices of third-party websites.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, the Service, or applicable law. When we make material changes, we will update the “Last updated” date at the top of this page.
For active monthly subscribers, material changes to this policy will be communicated by email at least 14 days before taking effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.
14. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to raise a concern about how we handle your data, please contact us:
REDWELL (UK) LIMITED
The Old Police Station
West Square, Maldon
Essex, England, CM9 5AL
Company number: 06342877
Email: support@curb-score.com
Website: curb-score.com
You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint if you believe we have not handled your data in accordance with applicable law.