Privacy policy

1. Introduction

Stiplo ("we", "us", "our") is a trading name of NorthBy Ltd, a company registered in England and Wales (company number 17112518), with its registered office at 128 City Road, London, EC1V 2NX. We are committed to protecting your privacy. This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights. It applies to all users of the Stiplo platform and Ghost Scan service, as well as to website owners whose sites we scan for prospecting or demonstration purposes.

This Privacy Policy should be read alongside our Terms of Service, which govern your use of the Service.

2. Data we collect

2.1 Data you provide

• Email address — provided when you request a Ghost Scan or create an account.
• Website URL — the hotel website you submit for scanning.
• Account information — if you sign up for a paid plan, your name and billing details (processed by our payment provider; we do not store full card numbers).

2.2 Data we collect automatically

• IP address — used for rate limiting and fraud prevention.
• Referrer URL — the page that led you to Stiplo.
• UTM parameters — campaign tracking data (utm_source, utm_medium, utm_campaign) if present in the URL.
• Browser and device information — user agent string, used for analytics and debugging.

2.3 Data generated by our service

• Website screenshots — captured from the publicly accessible pages of websites we scan.
• Page content — text extracted from publicly accessible pages (markdown format).
• Scan findings — AI-generated issue reports including descriptions, severity levels, confidence scores, and screenshot evidence.
• Structured data analysis — results from parsing publicly available schema markup and metadata.

2.4 What we do not collect

We do not access private systems, login-protected pages, booking engine databases, or personal data of the scanned website's customers. We only process publicly accessible content.

3. Unsolicited and prospecting scans

Stiplo may scan publicly accessible hospitality websites for demonstration, research, quality assurance, and prospecting purposes where the website owner has not initiated the scan. When we do this:

• Data collected: screenshots and page content from publicly accessible pages only. No personal data of the website's customers or staff is collected.
• Lawful basis: legitimate interest. We have a legitimate interest in analysing publicly accessible commercial content to demonstrate and improve our service and to contact businesses that may benefit from it.
• Retention: unsolicited scan data is retained for 12 months from the scan date, then permanently deleted — unless the website owner becomes a user, in which case the standard retention periods in Section 8 apply.
• Opt out and deletion: website owners may request deletion of unsolicited scan data or opt out of future scans at any time by emailing privacy@stiplo.io. We will action requests within 30 days.

4. How we use your data

• Deliver the Service — crawl your website, generate scan findings, and deliver reports to your email.
• Communicate with you — send scan results, service updates, and respond to support requests.
• Marketing communications — we may send product updates, feature announcements, and tips relevant to your use of the Service. For existing customers, we rely on legitimate interest (soft opt-in under UK PECR). You can unsubscribe at any time using the link in any marketing email or by emailing hello@stiplo.io. Transactional emails (scan results, account notifications) are not affected by marketing opt-out.
• Improve the Service — use aggregated, anonymised data to improve scanning accuracy, reduce false positives, and develop new features.
• Prevent misuse — use IP addresses and usage patterns to enforce rate limits and detect abuse.
• Legal compliance — comply with applicable laws, regulations, and legal requests.

4.1 Anonymised data

Where data has been fully anonymised so that it can no longer identify any individual or specific website, it is no longer personal data under UK GDPR. We may retain anonymised data indefinitely for service improvement, industry benchmarking, and model training purposes.

5. Legal basis for processing (GDPR)

We process your data on the following grounds:

• Contract — processing is necessary to deliver the scan you requested and to fulfil our Terms of Service.
• Legitimate interest — improving the accuracy of our service, preventing fraud, understanding usage patterns, scanning publicly accessible websites for prospecting purposes (Section 3), and sending marketing communications to existing customers (Section 4).
• Legal obligation — where required to comply with applicable laws.

6. Data sharing and third-party processors

We do not sell your personal data. We share data with the following third-party service providers who process it on our behalf to operate the Service:

These providers are located primarily in the United States. Where data is transferred outside the UK/EEA, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and the providers' own data protection commitments.

7. Cookies and analytics

We use essential cookies required for the Service to function (authentication, session management). These do not require consent under GDPR as they are strictly necessary.

We use PostHog for product analytics to understand how visitors use our website. PostHog runs in cookieless mode (memory-only persistence), which means:

• No cookies or local storage are set for analytics purposes.
• No data is persisted across sessions or browser tabs.
• No personal data or IP addresses are tracked.
• Each page visit is treated as an independent, anonymous event.

Because PostHog does not set any cookies or store data on your device, no consent is required under GDPR or UK PECR for this analytics usage.

For full details on cookies, see our Cookie Policy.

8. Data retention

• Scan data (screenshots, page content, findings) is retained for 24 months from the date of the scan, then permanently deleted.
• Account data (email, profile) is retained for as long as your account is active and for 24 months after account closure.
• Lead data (email submitted via free scan without an account) is retained for 24 months from submission.
• Unsolicited scan data (prospecting scans where the website owner has not initiated the scan) is retained for 12 monthsfrom the scan date, then permanently deleted — unless the website owner becomes a user, in which case the standard retention periods above apply.
• You may request earlier deletion at any time (see "Your rights" below).

9. Data security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. While we take reasonable steps to safeguard your data, no system is completely secure and we cannot guarantee absolute security.

10. Data breach notification

In the event of a personal data breach, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours where required under UK GDPR.
• Notify affected individuals without undue delay where the breach poses a high risk to their rights and freedoms.
• Document all breaches and the remedial actions taken, regardless of whether notification to the ICO is required.

11. Your rights

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — request deletion of your personal data ("right to be forgotten").
• Data portability — receive your data in a structured, machine-readable format.
• Restriction — ask us to limit how we process your data.
• Objection — object to processing based on legitimate interest, including objecting to unsolicited scans of your website.

To exercise any of these rights, email us at privacy@stiplo.io. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

12. Children

The Service is not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. International data transfers

Some of our third-party processors are based outside the UK and European Economic Area, primarily in the United States. When transferring personal data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), UK International Data Transfer Agreements (IDTAs), or reliance on the provider's participation in recognised data protection frameworks.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on our website. The "last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes constitutes acceptance.

15. Contact and data protection

The founder serves as the data protection lead at Stiplo. We are not required to appoint a formal Data Protection Officer under UK GDPR given the nature and scale of our processing, but we take data protection seriously and have designated a responsible person.

NorthBy Ltd, 128 City Road, London, EC1V 2NX.

For privacy questions, data protection requests, or to exercise your rights, contact us at privacy@stiplo.io

For general enquiries about the Service, contact hello@stiplo.io