Privacy Policy

Data Controller & Contact

The data controller for personal data collected through the Service is Teksyte LTD, trading as Soho London, with business correspondence address at 71–75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom. We have not appointed a statutory Data Protection Officer because our processing does not meet the thresholds in Article 37 UK GDPR; however we have designated a privacy contact who you can reach at privacy@soho-london.co.uk.

If you have a complaint about our handling of your data, please contact us first so that we can try to resolve it. You also have the right to lodge a complaint with the Information Commissioner's Office at any time — see ico.org.uk.

Data We Collect

The personal data we collect depends on how you interact with the Service:

(a) Visitors. We automatically receive limited technical information about every request: IP address (truncated for analytics), user-agent string, referring URL, request timestamp, pages viewed, approximate location derived from IP, and device/browser category. This is server-log data inherent to operating any internet service.

(b) Account holders & listing owners. When you register an account or submit a Listing, we collect your name, business name, email address, phone number (optional), business address, business description, photographs, business hours, social-media handles and any other information you choose to submit.

(c) Contact form submissions. When you contact us via the contact form we collect your name, email address, subject, message, and (optionally) phone number.

(d) Newsletter subscribers. When you subscribe to the Inside Soho newsletter we collect your email address and the timestamp/IP of the opt-in (as required under PECR).

(e) Paid subscribers & advertisers. Payment details (card number, billing address, VAT status) are collected by our payment-processor partners (PayPal, Stripe) and not stored on our servers. We receive a transaction reference, amount, payment method type (e.g. "Visa ending 1234") and billing address for invoicing.

(f) Reviews & user-submitted content. Where the Service allows you to post a review or comment we collect the content of the submission, the display name you choose, and the timestamp. Reviews are public by design.

(g) Cookies & similar technologies. See our Cookie Policy for a complete list of cookies and analytic identifiers we set, the categories they fall into, and how to manage your consent.

Lawful Bases for Processing

Under Article 6 UK GDPR we process personal data only where we have a valid lawful basis. The basis we rely on depends on the purpose:

• Contract (Art. 6(1)(b)) — to deliver paid subscriptions, invoice you, provide support, and perform the agreement set out in the Terms & Conditions.
• Legitimate interests (Art. 6(1)(f)) — to operate and secure the Service, prevent fraud and abuse, analyse aggregate traffic, improve features, and contact listed businesses about their Listing. We have documented a Legitimate Interests Assessment (available on request) that balances these interests against your rights and freedoms.
• Consent (Art. 6(1)(a)) — for non-essential cookies, analytics beyond aggregate metrics, newsletter subscriptions, and any other processing where consent is required by PECR or UK GDPR. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — to comply with statutory record-keeping (e.g. HMRC requirements for tax invoices), respond to lawful law-enforcement requests, and meet anti-money-laundering obligations in cases where we facilitate a transaction.

We do not knowingly collect special-category personal data (Article 9). If you include such data in user-submitted content or a message to us, you give explicit consent under Article 9(2)(a) UK GDPR to the minimum processing necessary to respond.

How We Use Your Data

We use personal data to:

• operate, maintain and improve the Service;
• publish and manage Listings (for listing owners);
• respond to enquiries sent via the contact form;
• send the Inside Soho newsletter where you have opted in;
• process paid subscriptions, issue invoices and recover unpaid fees;
• moderate and publish user reviews;
• analyse aggregate traffic patterns (bounce rate, pageviews, device mix) to improve editorial coverage and UX;
• prevent fraud, scraping, spam and abuse (by logging suspicious request patterns and applying rate-limits);
• comply with legal obligations;
• where you have explicitly consented, to send occasional editorial or promotional emails about Soho venues and events — you can unsubscribe at any time via the link in every such email.

Who We Share Data With (Sub-Processors)

We do not sell your personal data. We share it only with vetted processors who help us operate the Service, each bound by a written data-processing agreement under Article 28 UK GDPR:

• Hetzner Online GmbH (Germany) — primary hosting infrastructure. IP-logged data stored in-region.
• Cloudflare, Inc. (United States) — DNS, DDoS protection, edge caching, TLS termination. Operates under the UK IDTA for transfers outside the UK.
• Cloudflare R2 — storage of uploaded images and media assets.
• Google Ireland Limited — Google Analytics 4 (GA4) and Google Tag Manager (GTM). We use GA4 for aggregate web analytics and GTM as the deployment layer for analytics tags. Configured with Consent Mode v2 in advanced mode: until you grant consent via our cookie banner, GA4 only sends cookieless aggregate signals that Google’s conversion-modelling estimates as anonymous totals (no individual identification). After you click "Accept All", GA4 receives full session data including events listed in our Cookie Policy. IP addresses are anonymised at collection (last octet truncated) and user/event data is retained for 14 months before automatic deletion. policies.google.com/privacy.
• PayPal (Europe) S.à r.l. et Cie, S.C.A. and/or Stripe Payments Europe Ltd — payment processing for paid subscriptions and advertiser invoicing.
• Transactional email provider — delivery of password resets, invoices, contact-form auto-replies and the Inside Soho newsletter.
• Anthropic, PBC and OpenAI, L.L.C. — AI systems used server-side for content generation and SEO assistance. Input data is limited to editorial copy and does not include your personal data.
• Law-enforcement or regulatory authorities, where we are legally compelled to disclose data, such as in response to a valid court order or ICO request.

We may also share anonymised or aggregated data (which cannot identify you) with partners for industry research or editorial benchmarking.

International Data Transfers

Some of our processors (notably Cloudflare, Stripe, Anthropic and OpenAI) are based outside the UK. Where personal data is transferred outside the UK, we ensure the transfer is covered by one of the safeguards listed in Articles 45–47 UK GDPR, typically the UK International Data Transfer Addendum to the EU Standard Contractual Clauses ("IDTA"), or an adequacy decision made by the UK Secretary of State. Copies of these safeguards are available on request from privacy@soho-london.co.uk.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Account data: for as long as the account is active, plus 12 months after closure for dispute resolution;
• Listing content: published indefinitely until removed by the business owner or by us under our Takedown Procedure;
• Contact-form messages: 24 months;
• Newsletter subscription: until you unsubscribe;
• Paid-subscription invoicing and tax records: 7 years (HMRC statutory minimum for UK businesses);
• Reviews: published indefinitely (you may request deletion of your own review at any time);
• Server access logs: 30 days rolling;
• Analytics data: 14 months for user-level and event-level data (GA4 retention setting), then automatic deletion. Aggregate, anonymised reports may be retained indefinitely for trend analysis with no individual identifiability;
• Cookie consent records: 13 months (to honour "refresh consent" obligations under ICO guidance).

Your Rights under UK GDPR

You have the following rights in relation to your personal data:

• Right of access (Art. 15) — to obtain a copy of the personal data we hold about you and information about how we process it.
• Right of rectification (Art. 16) — to have inaccurate or incomplete data corrected.
• Right of erasure (Art. 17) — to have your data deleted where there is no overriding legitimate reason to keep it.
• Right to restrict processing (Art. 18) — to ask us to freeze processing of your data in certain circumstances.
• Right to data portability (Art. 20) — to receive your data in a structured, commonly-used machine-readable format.
• Right to object (Art. 21) — to object to processing based on our legitimate interests, and to direct marketing at any time.
• Right to withdraw consent (Art. 7(3)) — to withdraw consent you have previously given, without affecting processing that took place before withdrawal.
• Right not to be subject to automated decision-making (Art. 22) — we do not use automated decision-making that produces legal or similarly significant effects on you.

To exercise any of these rights, email privacy@soho-london.co.uk. We will respond within one month. We may ask for proof of identity before acting on a request. We do not charge a fee for exercising these rights unless the request is manifestly unfounded or excessive.

Security

We implement appropriate technical and organisational measures, proportionate to the risk, to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, including:

• TLS 1.2+ encryption in transit for all public endpoints;
• HSTS preloading and strict Content-Security-Policy headers;
• password hashing with modern bcrypt;
• operating-system keychain encryption for credentials stored in our desktop tooling (via Electron safeStorage);
• access-control on production databases limited to named administrators over SSH key + IP allowlist;
• regular security updates to dependencies;
• Cloudflare WAF rules blocking known attack patterns.

If we become aware of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where high-risk, notify affected individuals without undue delay, as required by Articles 33–34 UK GDPR.

Children

The Service is not directed at children under 13 and we do not knowingly collect personal data from children. Some venues listed on the Service are licensed premises (bars, casinos, nightclubs) and are available only to adults; nothing on the Service should be taken as an invitation for under-18s to enter such venues. If you believe we have inadvertently collected a child's data, please contact privacy@soho-london.co.uk and we will delete it.

Automated Decision-Making & Profiling

We do not use personal data to make decisions that produce legal effects or similarly significant effects on you based solely on automated processing. The Service does perform some lightweight personalisation (e.g. showing relevant listings based on category browsing), but this does not amount to Article 22 automated decision-making.

Cookies

See our dedicated Cookie Policy for full details of the cookies and similar technologies used on the Service, how to manage consent and how to disable specific categories.

Changes to this Policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. Material changes affecting how we process your data will be communicated by email (to registered users) or by a prominent banner on the Service, at least 14 days before taking effect.

Contact

To exercise any of your rights, to withdraw consent, or to ask a question about this Privacy Policy:

• Privacy: privacy@soho-london.co.uk
• General: info@soho-london.co.uk
• By post: 71–75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom
• Supervisory authority: Information Commissioner's Office (ICO)