Summary: We collect only what we need to run the service. We never sell your data. Analytics only fire with your consent. You can delete your data at any time by emailing privacy@wherecanimove.com.
As we are currently in beta, we are in the process of completing our formal ICO registration. If you are in the UK or EU and have a privacy concern, please contact us directly and we will respond within 72 hours.
2. What data we collect
Data you voluntarily provide
Email address — if you enter it in the beta notification form or the report email form. Used only to send the report or the notification you requested.
Assessment data — nationality, age, family details, financial ranges, ancestry, goals. This is sent directly to Anthropic's API to generate your report. We do not store this data after your session ends. It is not logged by us.
Data collected automatically (with consent)
Analytics data — page views, events, session duration, approximate location (country-level only) via Google Analytics 4 and PostHog. Only collected if you accept analytics cookies.
IP address — processed by Cloudflare (our hosting provider) for security and routing. We do not log or store IP addresses ourselves.
Data we never collect
We never collect precise financial data — budget sliders and income ranges are descriptive, not exact figures
We never store passport numbers, identity documents, or government IDs
We never collect payment card data (handled entirely by Stripe)
We never collect data from children under 16
3. Why we collect it (legal basis)
Under GDPR Article 6, we rely on the following legal bases:
Consent (Art. 6(1)(a)) — analytics cookies, marketing emails. You can withdraw consent at any time via Cookie Settings in the footer.
Contract (Art. 6(1)(b)) — processing your assessment data and delivering your report is necessary to provide the service you requested.
Legitimate interests (Art. 6(1)(f)) — maintaining security, preventing fraud, and improving service quality.
4. Cookies and tracking
We use three categories of cookies:
Essential cookies (no consent required)
wcim_lang — stores your language preference. Duration: 1 year.
wcim_consent_v1 — records your cookie consent choice. Duration: 13 months.
wcim_consent_date — records when consent was given. Duration: 13 months.
Analytics cookies (consent required)
Google Analytics 4 — _ga, _gid. Set by Google. We have configured GA4 with IP anonymisation enabled and advertising features disabled. Duration: up to 2 years.
PostHog — session recording and product analytics. EU-hosted instance (eu.posthog.com). No advertising use. Duration: up to 1 year.
No marketing or advertising cookies
We do not use any advertising, retargeting, or social media tracking cookies.
You can change your cookie preferences at any time using the link in our footer.
5. Third-party services
Anthropic — your assessment responses are sent to Anthropic's Claude API to generate your report. Anthropic's privacy policy applies to this processing. Anthropic does not use your data to train models (Enterprise API). Anthropic Privacy Policy →
Cloudflare — we use Cloudflare for hosting, CDN and security. Cloudflare processes request data in accordance with their DPA. Cloudflare Privacy Policy →
Resend — if you request your report by email, we use Resend to deliver it. Your email address is passed to Resend for this purpose only. Resend Privacy Policy →
Google Analytics — analytics only, with IP anonymisation and no advertising signals. Data transferred to Google in accordance with Standard Contractual Clauses. Google Privacy Policy →
Email addresses (beta list) — held until you unsubscribe or ask us to delete them, or 24 months from the last contact, whichever is sooner.
Assessment data — not stored by us. Passed to Anthropic API and discarded. Anthropic retains API inputs for up to 30 days for safety monitoring under their policy.
Analytics data — retained in GA4 for 14 months, PostHog for 12 months.
Blog post KV data — auto-expires after 90 days.
7. Your rights (GDPR)
If you are in the UK or EU, you have the following rights:
Right of access — request a copy of all data we hold about you
Right to rectification — request correction of inaccurate data
Right to erasure — request deletion of your data ("right to be forgotten")
Right to restriction — request we limit how we process your data
Right to portability — receive your data in a machine-readable format
Right to object — object to processing based on legitimate interests
Right to withdraw consent — withdraw analytics consent at any time via Cookie Settings
Right to complain — lodge a complaint with the ICO (UK) or your national supervisory authority (EU)
To exercise any right, email privacy@wherecanimove.com. We will respond within 30 days (UK GDPR requirement).