Privacy Policy

1. Who we are

Watchsense is a trading name of Springbar Labs Ltd, company number 17119721, registered in the United Kingdom.

Registered office: Suite RA01, 195–197 Wood Street, London, E17 3NU, United Kingdom.

Throughout this policy, “Watchsense”, “we”, “us”, and “our” refer to Springbar Labs Ltd.

For the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018), and where applicable EU data protection law (EU GDPR), we are the data controller in respect of personal data processed through this service.

2. What we collect and why

We may collect and process:

• Account and identity information including your email address, name, and country of residence where we ask for them, to create and manage your account, send magic-link sign-in emails, and communicate with you about the service.
• Stolen watch reports you file while signed in (e.g. make, model, serial number, purchase date, date of loss, and related fields) to maintain the registry and display reports as intended. Reports contain only watch details and do not include any personal information about other individuals or any description of or allegation about events.
• Registry check queries when you use the check tool: the make and serial number you enter are processed to search the registry, and related technical data may be processed to run the search and to reduce abuse or automated misuse of the service.
• Contact and enquiry information when you provide personal details (e.g. name, email address) through our contact form or otherwise so we can respond to your enquiry. Messages submitted through our contact form are processed by Mistral AI's content moderation API, as described in the sharing and transfers section. Name and email address fields are not forwarded and are only used for responses. Emails from outside of this form are not processed by Mistral AI.
• Technical and usage data (e.g. IP address, browser type, pages visited, device and connection information) to operate and secure the website, diagnose issues, and support troubleshooting efforts.
• Verification and abuse-prevention data when you complete a security challenge on sign-in or the contact form: a short-lived token is sent to our systems so we can confirm the challenge, and the challenge is provided by Cloudflare, who may process technical data in your browser when the widget loads. See the sharing and transfers section for more details.

We process this data to provide the service, comply with legal obligations, and for our legitimate interests in running and improving the service, preventing fraud and abuse, and keeping accounts secure. We do not sell your personal data.

We may use your provided contact details to notify you about any changes to the Terms of Service, Privacy Policy, or provide other operational updates.

3. Legal basis

Where we process personal data under UK GDPR or EU GDPR, the legal basis depends on the specific processing activity:

• Account and identity information is processed on the basis of performance of a contract (or steps prior to entering into one) with you.
• Stolen watch reports you file are processed on the basis of performance of a contract.
• Registry check queries are processed on the basis of our legitimate interests in providing the check service to users and preventing automated or abusive use of it.
• Contact and enquiry information is processed on the basis of our legitimate interests in responding to and managing user enquiries.
• Technical and usage data is processed on the basis of our legitimate interests in operating, securing, diagnosing, and improving the service.
• Verification and abuse-prevention data is processed on the basis of our legitimate interests in keeping the service secure and preventing fraudulent or automated misuse.

Where we ask for your consent (for example for non-essential cookies), processing is based on consent, which you may withdraw at any time. Our commitments are limited to those required by applicable law; we do not undertake any further guarantees.

4. Retention

Your account profile and stolen watch reports are retained until you delete them. Technical and usage data (such as logs) is typically retained for up to 12 months and then deleted or anonymised. Correspondence received via our contact form or email address is retained for as long as needed to resolve your enquiry and for up to two years thereafter for record-keeping purposes. Other data is retained for as long as needed to meet legal, regulatory, or operational requirements.

From your account page you can delete individual reports you created, or delete your entire account, which deletes your profile and associated data, including all of your reports.

5. Children and minors

Our service is intended for adults only. We do not knowingly collect personal data from children or minors, as defined under applicable law. If you are a child or minor, please do not use this service or submit any personal information through it. If we become aware that we have inadvertently collected personal data from a child or minor, we will take steps to delete it promptly. If you believe we may have collected such data, please contact us via our contact page.

6. Your rights

Under UK and EU data protection law you may have rights including: access, rectification, erasure, restriction of processing, data portability, and to object. Where processing is based on consent, you may withdraw consent at any time. We will respond to valid requests in accordance with the law; we do not guarantee any particular outcome or timeframe beyond what the law requires.

If you are in the UK, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise your rights or to enquire about our processing, please use our contact page.

7. Sharing and transfers

Our servers and the data our service receives and retains are hosted by Hetzner Online GmbH (Germany) in datacentres located in the European Economic Area. Hetzner processes personal data on our instructions as a processor under Article 28 UK GDPR and EU GDPR, in accordance with their Data Processing Agreement. Transfers from the UK to the EEA are covered by the UK adequacy decision for the EEA.

We use Amazon Web Services EMEA SARL (Luxembourg) for cloud infrastructure and email services. AWS may process data submitted through our service and emails sent to us; these services are limited to datacentres within the UK. Transfers are covered by the UK adequacy decision for the EEA.

We use Migadu-Mail GmbH (Switzerland) as our email provider, who store all correspondence received via our contact form and email accounts. Migadu operates in compliance with EU GDPR and the Swiss Federal Data Protection Act, and processes data on our behalf under their Data Processing Agreement. Transfers are covered by UK adequacy decisions for both Switzerland and France (EEA), where their servers are hosted.

We use Cloudflare, Inc. (United States) for security, performance, reliability, and email routing. All web traffic to this service and emails sent to us pass through Cloudflare's network; Cloudflare may process related technical data such as IP addresses and technical metadata in the course of delivering those services. This processing is governed by Cloudflare's Data Processing Addendum, incorporating the EU-US Data Privacy Framework and its UK Extension.

Message content from our contact form may be processed by Mistral AI SAS (France) for content moderation and will not include name or email address fields. Mistral AI processes this data on our instructions as a data processor under their Data Processing Addendum. As Mistral AI is based in France within the European Economic Area, transfers from the UK are covered by the UK adequacy decision for the EEA.

Emails received through the email address listed on our contact page will not be processed by Mistral AI.

Future vendors may also be located outside the UK or European Economic Area; where international data transfers occur, we ensure appropriate safeguards are in place, which may include adequacy decisions, the EU-US Data Privacy Framework, the UK-US Data Bridge, the UK International Data Transfer Agreement (IDTA), or EU standard contractual clauses. This policy will be updated to reflect any new vendors or changes to our data processing.

We may also disclose data where required by law or to protect our rights. We do not sell or rent your personal data.

8. Security and accuracy

We take appropriate technical and organisational measures to protect your data, including encryption of connections to our service using HTTPS/TLS and access controls on our systems. We do not guarantee that our systems or your data will be completely secure, accurate, or free from loss or unauthorised access, and you use the service at your own risk in this regard.

9. Cookies and similar technologies

We use cookies and similar technologies to operate the service. This includes cookies that are strictly necessary for functionality (such as keeping you signed in) and cookies or similar storage used when a security challenge runs.

When you first visit, we will ask for your consent before setting any non-essential cookies, such as analytics cookies used to help us understand how the service is used.

You can change your cookie preferences at any time through your browser settings or our cookie consent options, though disabling certain cookies may affect how the service functions.

10. Automated decision-making

We do not make decisions that have a legal or similarly significant effect on you solely by automated means. Our service provides informational lookup results; any action you take based on those results is your own decision.

11. Changes

We may update this policy from time to time. The “Last updated” date at the top reflects when we last made changes. Where a change materially affects how we process your personal data, we will notify you where we are required to do so by law. We recommend that you review this page periodically.

12. Contact method

For privacy-related questions or requests, please use our contact page and write to us using the form or alternative email address.