Skip to main content
Plain Site
Plain Site
Book a call
Book a call
Legal

Privacy policy

Plain Site Group Limited is committed to protecting your personal data and being transparent about how we use it.

Last updated: May 2026

Data controller

Who we are

The data controller is Plain Site Group Limited, registered in England and Wales (company no. 16009853). When this policy refers to "we", "us", or "our", it means Plain Site Group Limited.

Plain Site is not yet authorised or regulated by the Financial Conduct Authority. Insurance products are currently offered in partnership with authorised carriers. We are developing our regulatory authorisation.

If you have questions about how we handle your data, contact us at hello@plainsite.io.

What we collect

Information we collect and how

We collect personal data in the following ways:

Information you give us directly

When you book a call, contact us by email, or submit an enquiry, we collect: your name, email address, job title, company name, and the details of your portfolio or property exposure you share with us.

Information from your site and portfolio

As part of our risk assessment process, we collect and process data about the commercial properties you operate: site addresses, land-use type, drainage characteristics, flood exposure data, and the results of IoT monitoring where sensors are installed. Where this data relates to a named individual (for example, a sole trader operating from a site), it constitutes personal data.

Information we generate

We create records of our communications with you, including call notes, emails, and risk assessment outputs. These records are held as part of our underwriting file.

Information from third parties

We may receive publicly available data about flood risk, land use, and property from sources including the Environment Agency, Ordnance Survey, and licensed flood modelling providers. Where this enriches a record that identifies you, it forms part of your data profile.

How we use it

Purposes and legal bases

We process your data for the following purposes, under the legal bases set out in UK GDPR:

Underwriting assessment and risk modelling

We use your portfolio and site data to assess flood risk, model the impact of nature-based interventions, and structure insurance terms. Legal basis: performance of a contract, or legitimate interests where no contract yet exists.

Communicating about our products

We use your contact details to respond to enquiries, progress discussions about cover, and share information about Plain Site products you have expressed interest in. Legal basis: legitimate interests (B2B communication where there is a prior relationship or direct enquiry).

Placing and administering insurance

If you take out cover through Plain Site, we share the relevant risk data and personal details with our capacity partners (authorised insurers and reinsurers) as required to bind and administer the policy. Legal basis: performance of a contract.

Regulatory and legal compliance

We retain records as required under applicable law and financial services regulation, including in preparation for FCA authorisation. Legal basis: legal obligation.

Improving our risk models

We use aggregated and anonymised site performance data to improve the accuracy of our flood risk models and nature-based solution assessments. This data is not personal data. Where we use personal data for this purpose, we rely on legitimate interests and apply appropriate safeguards.

Who we share with

Third-party disclosure

We do not sell personal data. We share it only where necessary for the purposes above, with:

Authorised insurance carriers and reinsurers

To bind and administer flood cover. These parties act as independent data controllers in respect of any data they receive, and their own privacy policies apply.

IoT monitoring and data providers

To install, operate, and read performance monitoring equipment on sites where sensors are in place. These providers act as data processors under our instruction.

Professional advisers

Solicitors, actuaries, and compliance advisers who support our business operations, under confidentiality obligations.

Regulatory authorities

We may be required to disclose data to the FCA, ICO, or other regulatory bodies where required by law.

All third parties we work with are required to maintain appropriate security standards and to use personal data only for the purposes for which it was shared.

Retention

How long we keep your data

We retain personal data for as long as it is needed for the purpose it was collected, and no longer than required by law.

Enquiry records — up to 3 years from last contact, unless an insurance relationship develops.

Underwriting and policy records — for the duration of any insurance arrangement, plus 7 years from policy expiry, in line with standard financial services retention requirements.

IoT monitoring data — for the term of the monitoring agreement, plus a period sufficient to satisfy any claim or dispute resolution requirements.

Regulatory correspondence — as required by applicable law, which may exceed the above periods.

At the end of the applicable retention period, we securely delete or anonymise your data.

Your rights

Rights under UK GDPR

You have the following rights in relation to your personal data:

  • Access
    Request a copy of the personal data we hold about you.
  • Rectification
    Ask us to correct inaccurate or incomplete data.
  • Erasure
    Ask us to delete your data where we no longer have a lawful basis to hold it.
  • Restriction
    Ask us to limit how we use your data while a dispute is resolved.
  • Portability
    Receive your data in a structured, machine-readable format where processing is based on consent or contract.
  • Objection
    Object to processing based on legitimate interests, including direct marketing.

To exercise any of these rights, contact us at hello@plainsite.io. We will respond within one calendar month. We may need to verify your identity before acting on a request.

If you are not satisfied with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

Security & changes

Security and updates

Security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include access controls, encrypted communications, and periodic review of our data handling practices.

International transfers

We do not routinely transfer personal data outside the UK. Where any transfer is necessary — for example to a third-party platform hosted outside the UK — we ensure adequate safeguards are in place in accordance with UK GDPR.

Changes to this policy

We may update this policy from time to time. Material changes will be notified by email where we hold a contact address for you, or by posting a notice on this page. The date at the top of this policy reflects when it was last revised.