Privacy Policy
Last updated: 13 May 2026
This Privacy Policy explains how Prebo Digital UK ("we", "us", "our") processes personal data in connection with this web application and its related services. It is drafted for visitors and users in the United Kingdom and the European Economic Area (EEA) and reflects the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR) where relevant, and the EU GDPR where it applies (for example when we offer services to or monitor individuals in the EEA). It is informational and does not replace legal advice tailored to your organisation.
1. Data controller
Prebo Digital UK is the controller for personal data described in this policy, unless we state that another entity acts as controller for a specific product.
Postal address: 11 Orchid Way, Boughton Vale, Rugby, Warwickshire CV23 0SD, United Kingdom
Email: info@prebodigital.co.uk
Phone: +44 7450 552860
2. What this project is
This codebase powers a Next.js marketing and operations web application used by Prebo Digital UK. Public visitors typically see:
- A homepage listing editorial-style articles and landing content indexed by topic or category.
- Dynamic keyword or article pages (URL slugs resolved from our content database) with structured metadata for search and social sharing.
- Category hubs, XML sitemaps, and supporting assets (images, fonts).
- Contact and enquiry surfaces (including embedded third-party forms where configured) and optional Google Tag Manager measurement.
- This Privacy Policy, Terms of Use, and a cookie consent layer that sets Google Consent Mode defaults before marketing/analytics tags run.
Authorised staff also use a passwordless admin area (paths under /admin) to manage keywords, articles, media, reviews, integrations, and automation jobs. That area is not intended for the general public.
Deployment URL used in this policy: https://preboukstraider-production.up.railway.app
3. Personal data we process
Depending on how you interact with us, we may process:
- Identity & contact data: name, email address, telephone number, company name, job title (if provided), and message content you submit via contact forms or email.
- Account & authentication data (admin users): email address, display name, profile image URL (if supplied by your identity provider), session identifiers, and verification tokens created when you sign in with NextAuth.js using magic-link email authentication. We restrict sign-in to approved email domains and an administrator allow-list configured in environment variables.
- Technical & usage data: IP address, user agent, approximate geography derived from IP, referrer URL, pages viewed, timestamps, and diagnostic data from application and infrastructure logs.
- Content & research metadata: keywords, search volumes, SERP-related metrics, article titles, HTML bodies, author metadata, image references, and similar fields stored in our MySQL database to operate the StraiderAdvance / content pipeline. These fields are primarily business and SEO data; they may occasionally include personal data if someone enters it into a form or article body.
- Third-party widget data: where we embed review or social widgets (for example Elfsight), those providers may collect their own technical or interaction data under their policies.
- Cookie / local storage signals: strictly necessary cookies for sessions and security where applicable; your cookie consent choice stored in
localStorageon your device; and, if you consent, tags that set or read advertising/analytics identifiers subject to Google Consent Mode.
4. Purposes and lawful bases
| Purpose | Typical lawful basis (UK / EU GDPR) |
|---|---|
| Operate the Site, route traffic, enforce redirects, prevent abuse, secure APIs | Legitimate interests; legal obligation where applicable |
| Provide admin authentication, audit access, protect accounts | Legitimate interests; performance of a contract with your employer where relevant |
| Handle enquiries submitted via forms or email | Contract / pre-contract steps; consent where we rely on optional fields; legitimate interests in responding |
| Generate, score, audit, and publish marketing articles using configured AI providers | Legitimate interests in running our product; consent where required for certain inputs |
| Run scheduled "cron" jobs (content quality, cleanup, metrics sync, image jobs, etc.) | Legitimate interests; legal obligation where applicable |
| Analytics, conversion measurement, remarketing via Google tags | Consent (cookie banner + Consent Mode) where PECR/ePrivacy requires it |
| Product analytics, error monitoring, aggregated reporting | Legitimate interests (where not overridden); consent where required |
5. Automated processing & AI
The application can call external large language models and related APIs (configuration includes providers such as OpenAI and DeepSeek, and models may change) to draft or evaluate marketing copy, relevance, or metadata. Outputs are reviewed and published through internal workflows; we do not use solely automated decisions that produce legal or similarly significant effects on individuals in the GDPR sense for public visitors. If you believe automated processing affects you unfairly, contact us using the details in section 1.
6. Cookies, local storage & Google Consent Mode
We load Google Tag Manager on the public layout. Before GTM executes, we set Google Consent Mode v2 defaults that deny non-essential ad and analytics storage (security-related storage may remain granted). If you choose Accept all in our banner, we update consent signals and store your choice in browser localStorage under the key prebo_cookie_consent_v1. Choosing Essential only keeps non-essential categories denied. You may reopen choices via the footer "Cookie settings" control, which clears that key and reloads the page.
NextAuth.js session cookies (or equivalent) may be set for signed-in admin users to maintain authentication. Those are strictly necessary for that feature.
| Technology | Purpose | Category |
|---|---|---|
| Session / auth cookies | Maintain signed-in admin session | Strictly necessary (for admin routes) |
| localStorage consent key | Remember cookie preference | Essential / functional (device storage) |
| Google Tag Manager + dependent tags | Measurement, advertising, diagnostics as you configure in GTM | Non-essential unless you map tags as essential (your configuration) |
| Third-party embeds (e.g. reviews widget) | Display social proof | Typically non-essential; review vendor settings |
Operator responsibility: ensure each tag in GTM respects Consent Mode and regional requirements (Google Tag Assistant and Consent Mode documentation).
7. Recipients, processors & integrations
We share personal data with categories of recipients depending on configuration and feature use. Examples tied to this repository include:
- Infrastructure & hosting: the organisation that hosts this Node.js / Next.js deployment (for example a cloud platform used for production) receives technical logs and content you transmit to the Site.
- Database: personal data you or admins submit is stored in MySQL (or compatible) databases managed by us or our hosting provider.
- Email delivery (SMTP): transactional email for magic links and contact form delivery is sent through the SMTP host configured in deployment environment variables.
- AI & search vendors: prompts or article excerpts may be transmitted to OpenAI, DeepSeek, or other configured model providers for generation or scoring.
- Google services: may include Google Ads / Search / Analytics / Tag Manager APIs, Search Console integrations, and OAuth tokens stored for authorised admin workflows where enabled.
- DataForSEO (or similar) for keyword and SERP-related research when those modules are enabled.
- Cloudinary (or similar media APIs) for hosting or transforming images referenced from content.
- Elfsight (or comparable widgets) when review widgets are embedded on pages.
We do not sell your personal data. We may disclose information if required by law, court order, or competent authority.
8. Retention
We retain data only as long as necessary for the purposes described, including: (a) the lifetime of your admin account or business relationship; (b) statutory limitation periods and accounting or tax obligations; (c) defending legal claims; (d) technical logs rotated according to hosting defaults. Article and keyword records may be kept until deleted through internal content lifecycle or cleanup tools. Contact us to request deletion where applicable law allows.
9. International transfers
Providers listed above may process data in the United Kingdom, EEA, United States, or other countries. Where personal data is transferred from the UK/EEA to countries without an adequacy decision, we rely on appropriate safeguards such as the UK International Data Transfer Addendum and/or EU Standard Contractual Clauses, plus supplementary measures where required.
10. Security
We implement technical and organisational measures appropriate to the risk, including access controls for admin routes, encrypted transport (HTTPS), secrets stored in environment variables, and least-privilege database credentials. No method of transmission or storage is 100% secure.
11. Your rights
Subject to conditions in UK GDPR / EU GDPR, you may have the right to: access, rectify, erase, restrict processing, object to processing based on legitimate interests, data portability (for certain processing), and withdraw consent at any time where processing is consent-based. To exercise rights, email info@prebodigital.co.uk. You may complain to the ICO (UK) or your EEA supervisory authority.
12. Children
The Site is aimed at business users. We do not knowingly collect personal data from anyone under 16 (or the applicable digital age of consent) without appropriate authority.
13. Changes
We may update this policy when features, vendors, or legal requirements change. We will revise the "Last updated" date on the policy page; substantive changes may also be announced through the Site or admin notices where appropriate.