Privacy Policy
Last updated: 21 April 2026
1. Who We Are
CommercialUK is a service operated by Panematch Limited, a company registered in England and Wales (company number 17171669), registered office 26–28 Headlands, Kettering, NN15 7HP.
Panematch Limited is the data controller for personal data processed via the CommercialUK website (commercial-uk.co.uk). In this policy, "we", "us" and "our" refer to Panematch Limited.
ICO registration number: CSN5446139 — verify on the ICO public register
Data Protection Lead: Darren McLoughlin — privacy@commercial-uk.co.uk
2. Information We Collect
Information you give us directly:
- Name, email address, phone number, company name when you submit an enquiry or register as an agent
- Property listing details when you create or claim a listing
- Messages you send us via our contact, claim, takedown or data-rights forms
Information collected automatically:
- Usage data (pages visited, referring URLs, device/browser type)
- IP address (retained for security and abuse prevention)
- Strictly-necessary cookies to keep your session active
Information collected from public sources:
- Publicly-listed agent name, office phone number, office email and associated property listings, collected from commercial-property agent websites for the purpose of building a UK-wide commercial property index. This is collected under our legitimate interest (see Section 4). If you are an agent and do not want your details listed, use our takedown form at any time.
3. How We Use Your Information
- To facilitate property enquiries between buyers/tenants and agents
- To verify agent accounts and process listing-claim requests
- To send transactional emails (enquiry confirmations, account notices, lead introductions)
- To improve the platform and diagnose technical issues
- To respond to data-subject rights requests, complaints and takedown notices
- To prevent fraud and abuse of the service
4. Lawful Basis for Processing
We rely on the following lawful bases under UK GDPR Article 6:
- Contract (Art. 6(1)(b)) — for agent accounts, listing creation and enquiry fulfilment
- Legitimate interests (Art. 6(1)(f)) — for indexing publicly-listed agent contact details, security/abuse prevention, and service improvement. Our legitimate-interest assessment is that we provide a public benefit (a free commercial property index), we only process data that is already publicly published by the agent, and we respect any objection via our takedown process.
- Consent (Art. 6(1)(a)) — for non-essential cookies and any future marketing emails
- Legal obligation (Art. 6(1)(c)) — where we must retain or disclose data to comply with law
5. Data Sharing
We share the details you submit on an enquiry form (name, email, phone, message) with the agent for the listing you enquired about, so they can respond to you. We do not sell, rent or trade your personal data with third parties.
We may disclose personal data if required by law, court order, or to protect our or others' rights, property, or safety.
6. Sub-Processors
We use the following service providers (sub-processors) to deliver the service:
| Processor | Purpose | Location / Transfer safeguard |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, storage | EU (Frankfurt) / US parent — SCCs + UK Addendum |
| Vercel Inc. | Website hosting and deployment | EU edge / US parent — SCCs + UK Addendum |
| Microsoft 365 (Ireland) | Transactional email (outbound) + inbound mailbox | EU (Ireland/Dublin) — UK-EU adequacy |
| Cloudflare Turnstile | Bot/fraud protection on forms | US — SCCs + UK Addendum |
| Postcodes.io | UK postcode lookup (anonymous, no PII sent) | UK |
We maintain Data Processing Agreements with each sub-processor. The current list is available on request.
7. International Transfers
Your personal data is stored in the EU (Supabase Frankfurt, Vercel EU edge, Microsoft 365 Ireland). Some of our sub-processors are US-headquartered companies. Where a transfer outside the UK/EEA occurs, we rely on the UK International Data Transfer Addendum together with Standard Contractual Clauses (Article 46 UK GDPR), or the UK-US Data Bridge where applicable.
8. How Long We Keep Data
| Data type | Retention |
|---|---|
| Buyer / tenant enquiries | 24 months after last activity, then deleted |
| Registered agent accounts | Until the agent requests closure, then deleted within 30 days |
| Publicly-collected agent contact details | Reviewed annually; removed on takedown request |
| Server logs & IP addresses | Maximum 12 months |
| Admin audit log | 24 months |
| Cookie consent record | 12 months from the date you gave consent |
| Data-subject rights requests | 6 years (legal/regulatory evidence) |
9. Your Rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Have inaccurate data corrected
- Have your data deleted ("right to be forgotten")
- Restrict or object to processing
- Receive your data in a portable format (JSON/CSV)
- Withdraw consent at any time (where consent is the lawful basis)
To exercise any of these rights, use our Data Rights form or email privacy@commercial-uk.co.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. We would appreciate the chance to address your concerns first, but you can complain to the ICO at any time.
10. Cookies
We use strictly-necessary cookies to keep your session active and protect our forms from bots (via Cloudflare Turnstile). These cookies cannot be disabled because the site will not function without them.
We do not use advertising cookies. If we introduce analytics in future, we will only set those cookies with your consent, captured via our cookie banner.
11. Security
All data is transmitted over HTTPS/TLS 1.2+. Databases are encrypted at rest. Admin access is role-based and every admin action is logged. We maintain a security-incident response plan and will notify the ICO within 72 hours of becoming aware of any breach that is likely to affect your rights and freedoms.
12. Changes to This Policy
We may update this policy from time to time. The "Last updated" date above will always reflect the current version. Material changes will be highlighted on the homepage for at least 14 days.
13. Contact
Panematch Limited
26–28 Headlands
Kettering, NN15 7HP
Company number: 17171669
ICO registration: CSN5446139
Email: privacy@commercial-uk.co.uk