Who we are

Sweetstep is a free UK connectivity lookup tool operated by sweetstep.co.uk. We are the data controller for personal data processed through this service.

Contact: use the contact form.

What we collect — and what we don't

Anonymous lookup events. When you look up a postcode, we record:

• A random session identifier (a UUID we generate for your browser tab, rotated every 24 hours)
• The postcode you searched
• The Output Area, Local Authority, and region codes that postcode maps to
• Whether you searched from a mobile or desktop device
• Whether you looked up a second postcode in the same session (to detect comparison behaviour)
• A timestamp

We do not collect your name, email address, IP address, or any account identifier in connection with lookup events. Session identifiers are random and cannot be linked back to you after the session ends.

Account data (registered users only). If you create an account to use the API, we process your email address and any name you provide.

Why we collect it

Anonymous lookup events are collected under legitimate interest (Article 6(1)(f) UK GDPR). We use them to understand search behaviour, how the tool is being used, and where to focus improvement effort.

Account data is collected to provide API access (contract performance, Article 6(1)(b) UK GDPR).

How long we keep it

Anonymous lookup events are deleted automatically after 24 months. A scheduled process runs monthly to purge records older than this threshold.

Account data is retained for as long as your account is active, plus a reasonable period to resolve any disputes or comply with legal obligations.

Session storage — not cookies

Session identifiers are stored in your browser's sessionStorage, not in cookies. This means they are cleared automatically when you close the browser tab. They are not accessible to other websites and are not sent to any server in request headers.

See our Cookie Policy for full details of what storage mechanisms we use.

Third-party processors

We use SOC 2 Type II infrastructure sub-processors. Each processes data only as necessary to provide the service.

None of these processors sell your data or use it for advertising.

Your rights under UK GDPR

You have the right to:

• Access — request a copy of personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data
• Restriction — ask us to limit how we use your data
• Portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interest

Note: because anonymous lookup events contain no identifier linked to you, we cannot locate or delete a specific person's lookup records — they are genuinely anonymous. Rights requests apply to account data.

To exercise any right, use the contact form. We will respond within 30 days.

Complaints

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO). We would appreciate the opportunity to address your concern first — please contact us before escalating to the ICO.

Changes to this policy

We will update this page if our practices change and note the date at the top. Material changes will be announced via the changelog.