KatchmentSign In

Privacy Policy

Last updated: 23 April 2026

This Privacy Policy explains how Upbeat Software Ltd(“we”, “us”, “our”) collects, uses, and protects personal data in connection with Katchment. It also explains your rights under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

1. Who we are

Upbeat Software Ltd is the controller of personal data we hold about Katchment users. We are a company registered in England and Wales (company number 17140434). You can contact us at privacy@katchment.com about anything in this policy or about your rights.

2. What this policy covers

This policy covers:

  • Personal data we collect about you directly when you sign up, accept an invitation, or use Katchment.
  • Personal data we collect indirectly about third parties (for example, email addresses published on the websites of schools, nurseries, and care homes) and how we present it through the service.

3. Data we collect about you

When you create an account or use Katchment, we collect:

  • Account information — your email address, name (if provided), and either a bcrypt hash of your password (if you register with email and password) or profile details returned by Google (if you sign in with Google OAuth).
  • Verification and authentication data — 6-digit email verification codes, password-reset codes, session cookies, IP address, user-agent.
  • Usage data — the territories you draw, pipeline entries (prospect / qualification / customer stages), venue notes, exports you run, email searches you run, and favourites you set.
  • Invitation data — if someone invites you to Katchment, we hold your email address against that invitation until it is accepted, revoked, or expires.
  • Access-request data — if you request access via our contact form, the name, email, company, and message you send.
  • Support correspondence — the content of any messages you send us.
  • Aggregate analytics — anonymous usage metrics collected via Vercel Analytics. This does not identify individual users.

4. How we use your data

We use personal data about you to:

  • Provide the service — create and secure your account, enforce access controls, and let you use Katchment’s features.
  • Communicate with you — verification codes, password resets, invitations, and essential service notices. We do not send marketing email without your consent.
  • Keep the service secure — detect and prevent abuse, rate-limit, investigate security incidents.
  • Improve Katchment — understand what works and what doesn’t, typically based on aggregate or anonymised data.
  • Meet legal, regulatory, and contractual obligations.

5. Lawful bases

Under the UK GDPR we rely on the following lawful bases:

  • Performance of a contract — to provide the service you have signed up for.
  • Legitimate interests — for security, fraud prevention, product improvement, and to present publicly-available venue information to users of Katchment. Where we rely on legitimate interests we balance them against your rights and interests.
  • Consent — where a feature or communication is optional (for example, analytics cookies that go beyond strictly necessary, if we introduce any).
  • Legal obligation — where we are required to retain or disclose data by law.

6. Data about third parties (venues and contacts)

Katchment ingests information about UK schools, nurseries, and care homes from official public sources, including the GIAS dataset, Ofsted, the Care Quality Commission, the Care Inspectorate (Scotland), Care Inspectorate Wales (CIW), RQIA (Northern Ireland), Ordnance Survey, and the Office for National Statistics. Most of this is organisational information and not personal data.

Katchment’s email search feature reads pages an establishment has chosen to publish on its own public website and pulls out email addresses found there, together with the text around each address. We filter out free email providers (Gmail, Yahoo, Hotmail, and similar) to avoid surfacing personal addresses. An AI service (Anthropic Claude) then analyses the surrounding page text to infer the likely role, department, and where clearly stated on the same page, the name of the person the address belongs to.

Where this data relates to identifiable individuals, our lawful basis is legitimate interests: making information that those individuals or their employers have chosen to publish on a public website discoverable for legitimate business-to-business outreach. We have considered the impact on the individuals concerned and believe this use is reasonable and within their expectations, given the public-facing nature of the source pages.

If you are a named individual whose details appear in Katchment and you would like us to remove them, email privacy@katchment.com. We will action reasonable requests promptly.

7. Who we share data with

We share personal data only with service providers who help us run Katchment. They act as processors on our instructions and are bound by contractual confidentiality and security obligations:

  • Neon Database — database hosting. Data stored in the UK / EEA where available.
  • Vercel — application hosting and serverless execution. May transfer data to the United States under UK-approved transfer mechanisms.
  • Anthropic — AI inference for email role and name analysis. Data transferred under UK-approved transfer mechanisms.
  • Mapbox — map tiles, geocoding, and tile-query. Data transferred under UK-approved transfer mechanisms.
  • Google — Google OAuth sign-in and optional venue website look-ups via Google Places. Data transferred under UK-approved transfer mechanisms.
  • Resend — transactional email (verification, invitations, password resets). Data processed within the EEA.

We do not sell personal data. We may disclose data where required by law, to enforce our Terms, to protect our rights, property, or safety, or as part of a business transfer (such as a merger or acquisition), in which case we will let you know.

8. International transfers

Some of our service providers are based outside the UK or EEA. Where personal data is transferred to a country without a UK adequacy regulation, we rely on UK-approved transfer mechanisms such as the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, plus supplementary measures where appropriate.

9. Data retention

  • Account data — kept while your account is active and for up to 12 months after closure for legal, security, and backup reasons.
  • Territories, pipeline, venue notes — kept for the lifetime of the owning account or company. Territory deletion immediately removes associated pipeline entries, assignments, and notes.
  • Verification and reset codes — 24 hours, or until used, whichever is sooner.
  • Invitation tokens — 7 days from issue.
  • Access requests and support correspondence — up to 2 years.
  • Scraped emails and venue data — retained as part of Katchment’s dataset for ongoing use by authorised users. Individual entries can be removed on request.
  • Backups and logs — short rolling windows (typically up to 30 days) for operational reasons.

10. Security

We protect personal data with measures including TLS encryption in transit, bcrypt hashing of passwords, access controls, audit logging, short-lived session tokens, and regular review of our dependencies. No system is perfectly secure, and you are responsible for keeping your login credentials confidential.

11. Your rights

Under the UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your personal data in certain circumstances.
  • Restrict or object to our processing.
  • Data portability — receive a copy of data you’ve provided to us in a structured, commonly-used, machine-readable format.
  • Withdraw consent at any time where processing is based on consent. This does not affect the lawfulness of processing before withdrawal.
  • Complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk if you think your data has been handled unlawfully.

To exercise any of these rights, email privacy@katchment.com. We will respond within one month unless the request is complex, in which case we will let you know.

12. Cookies and similar technologies

Katchment uses a small number of cookies and similar technologies:

  • Strictly necessary — session cookies that keep you signed in and secure. These are required and cannot be turned off without breaking the service.
  • Analytics — Vercel Analytics collects anonymous, aggregate usage data. It does not track individuals across sites.

We do not use advertising cookies, third-party trackers, or cross-site tracking.

13. Children

Katchment is intended for business use by adults. We do not knowingly collect personal data from anyone under 18. If you believe a child has given us personal data, please contact us and we will delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. For material changes we will notify you by email or through the service. The “Last updated” date at the top shows when the policy was last revised.

15. Contact

For any privacy questions or to exercise your rights, contact us at privacy@katchment.com, or by post at Upbeat Software Ltd, United Kingdom.

Katchment is a product of Upbeat Software Ltd, registered in England and Wales (company number 17140434).