GoNoGo Ratings and Reviews Ltd.
Effective date: 14 April 2026
GoNoGo Ratings and Reviews Ltd ("GoNoGo", "we", "us", or "our") is a company registered in England and Wales (company number 16433454). We operate the brand ratings, reviews, and comparison platform at www.gonogo.co.uk (the "Site").
GoNoGo is the data controller for personal data processed through the Site and any related services or mobile applications we may offer in the future. Where we engage other organisations to process personal data on our behalf, they act as data processors under our documented instructions.
If you have any questions about this policy or how we handle your personal data, please contact us at:
Email: admin@gonogo.co.uk
Postal address: GoNoGo Ratings and Reviews Ltd, England and Wales
This Privacy Policy applies to all personal data collected when you:
Third-party websites linked from the Site have their own privacy policies. We are not responsible for their content or practices.
We process personal data in accordance with:
Our supervisory authority is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Website: ico.org.uk.
anonymize_ip: true), which truncates your IP address before it is processed by Google's
servers.When you choose to sign in using a third-party Single Sign-On (SSO) provider such as Google Sign-In or Apple Sign-In, we receive from that provider the data elements you have authorised it to share with us, which typically include your:
We do not receive your SSO provider password. The SSO provider's own privacy policy governs how they handle your data in connection with the sign-in process. Please refer to the Google Privacy Policy or Apple Privacy Policy as applicable.
Once you have an account, we collect data about how you use it, including:
UK GDPR requires us to identify a lawful basis for each processing activity. The table below sets out our processing purposes, the categories of data involved, and the lawful basis we rely on.
We rely on this basis where processing is necessary to provide a service you have requested or to take steps at your request before entering into a contract. This includes:
We rely on legitimate interests where our processing is necessary for purposes that are proportionate and do not override your rights and freedoms. We have conducted a Legitimate Interests Assessment (LIA) for each activity listed below:
We process data where required to comply with legal obligations, including:
We rely on your freely given, specific, informed, and unambiguous consent for:
We use Supabase Auth to manage user authentication and sessions. When you log in, Supabase Auth issues a signed JSON Web Token (JWT) and a refresh token. These tokens are used to:
Session tokens for admin and brand users are stored in your browser's localStorage under the
keys adminUser, adminLoginTime, brandUser, and
brandLoginTime. This data remains on your device and is never transmitted to us except as
needed for authentication verification. You can clear this data at any time by logging out or clearing your
browser's local storage.
Passwords are never stored in plaintext. Supabase Auth applies industry-standard hashing before storing credentials.
We use Resend (Resend, Inc.) to deliver transactional emails including:
To deliver these emails, Resend processes your email address and the content of the email on our behalf. Resend acts as our data processor and is bound by a Data Processing Agreement. Resend's servers may be located outside the UK; see Section 10 (International Data Transfers) for how we address this.
Transactional emails are sent on the basis of contract performance (they are necessary to provide the account functionality you have signed up for) and are not marketing communications. You cannot opt out of transactional emails while you hold an active account, but you can close your account at any time (see Section 13).
We use cookies (small text files placed on your device) and the browser's localStorage API to store certain information. A summary of each item is set out below.
The following items are stored in your browser's localStorage and are strictly necessary for
the Site to function. They are placed without requiring your consent under PECR because they are essential
to a service you have explicitly requested:
gonogo_theme — stores your display preference (dark or light mode). Contains no personal
data.gonogo_cookie_consent — records the cookie consent choice you have made so we do not
repeatedly prompt you. Contains your consent decision and the date it was recorded.adminUser / adminLoginTime — stores session state for admin portal users.
Contains your admin user identifier and login timestamp.brandUser / brandLoginTime — stores session state for brand portal users.
Contains your brand user identifier and login timestamp.
We use Google Analytics 4 (measurement ID: G-2C18K0YYXM) to understand how visitors use the
Site. Google Analytics sets cookies on your device (including _ga and related cookies) to
distinguish users and compile statistical reports. These cookies are loaded only after you have
accepted analytics cookies via our consent banner.
Google Analytics cookies are set by the domain google-analytics.com. IP anonymisation is
enabled, meaning the final octet of your IP address is removed before data is stored. The data collected
includes pages visited, session duration, device type, and approximate geographic location (at city level).
You can opt out of Google Analytics tracking at any time by:
Most web browsers allow you to control cookies through their settings. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you disable strictly necessary cookies or local storage items, some parts of the Site may not function correctly. For guidance on how to manage cookies in common browsers, visit the ICO's cookies guidance.
We engage the following third-party processors under written Data Processing Agreements (or equivalent contractual terms). Each processor is permitted to use your personal data only in accordance with our instructions and applicable law.
Supabase, Inc. provides our database infrastructure (PostgreSQL), authentication services (Supabase Auth), and serverless edge functions. Your account credentials, profile data, ratings, reviews, session tokens, and all other data entered into the Site are stored in Supabase databases hosted in the eu-west-1 (Ireland) region on Amazon Web Services. Processing in eu-west-1 is within the European Economic Area (EEA), which is a jurisdiction the UK has determined to provide an adequate level of data protection (subject to ongoing UK adequacy reviews).
Vercel, Inc. hosts and deploys the Site. Vercel operates a global edge network and may serve cached content from nodes located outside the UK and EEA to reduce latency. Technical log data (including IP addresses) may be processed on servers in the United States and other jurisdictions. Vercel processes this data under the EU Standard Contractual Clauses and their UK International Data Transfer Addendum (IDTA), which provide appropriate safeguards for international transfers.
Google LLC provides Google Analytics 4 (GA4). When analytics cookies are accepted, usage data is transmitted to and stored on Google's servers, including servers in the United States. Transfers to Google are governed by the EU–US Data Privacy Framework (to the extent applicable), Standard Contractual Clauses, and Google's UK IDTA Addendum. IP anonymisation is applied before data reaches Google's analytics infrastructure.
Resend, Inc. delivers transactional emails on our behalf (account verification, password resets, and notifications). Your email address and the content of each email are processed by Resend solely to deliver the message. Resend's infrastructure is primarily US-based; transfers are covered by appropriate Standard Contractual Clauses under Resend's Data Processing Agreement.
GitHub, Inc. (a subsidiary of Microsoft Corporation) hosts our source code repository. GitHub does not process user personal data as part of its normal code-hosting service, but may process metadata related to our development activity. GitHub's servers are located in the United States; transfers are covered by Microsoft/GitHub's Standard Contractual Clauses.
When you use Apple Sign-In or Google Sign-In, the relevant provider acts as an independent data controller for the sign-in process. We receive only the data elements described in Section 4.3. Please refer to the respective provider's privacy policy for details of their processing.
The UK GDPR restricts transfers of personal data to countries outside the UK unless an appropriate safeguard or exemption applies. The following table summarises our international transfer position:
You may request a copy of the relevant transfer safeguards by contacting us at admin@gonogo.co.uk.
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected and to comply with legal obligations. Our standard retention periods are as follows:
Where retention is required by law or to defend or establish legal claims, we may retain data for longer than the periods above. Data that has exceeded its retention period is securely deleted or anonymised.
Under UK GDPR and the DPA 2018, you have the following rights in relation to your personal data. We will respond to all verified requests within one calendar month of receipt. Where a request is complex or there are a large number of requests, we may extend this period by a further two months, in which case we will notify you within the initial one-month period.
There is no charge for exercising your rights in most circumstances. We may charge a reasonable fee or refuse to act on manifestly unfounded or excessive requests.
You have the right to request a copy of the personal data we hold about you and information about how we process it. This is known as a Subject Access Request (SAR).
You have the right to request that we correct any inaccurate personal data we hold about you, or complete any incomplete data.
You have the right to request deletion of your personal data in certain circumstances — for example, where the data is no longer necessary for the purpose for which it was collected, where you withdraw consent (and there is no other lawful basis), or where the data has been unlawfully processed. This right is not absolute; we may retain data where required by law or to defend legal claims.
You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, while you contest the accuracy of data we hold, or where processing is unlawful but you prefer restriction to deletion.
Where we process your data on the basis of consent or contract performance, and the processing is carried out by automated means, you have the right to receive a copy of your personal data in a structured, commonly used, machine-readable format, and to request that we transmit it directly to another controller where technically feasible.
You have the right to object to processing based on legitimate interests (Article 6(1)(f)) or in the public interest (Article 6(1)(e)). Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary to establish, exercise, or defend legal claims.
You have an absolute right to object to processing for direct marketing purposes at any time, including profiling to the extent related to direct marketing.
You have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal or similarly significant effects concerning you. We do not currently carry out any such automated decision-making. Should we introduce it in the future, this policy will be updated to describe the logic involved and the potential significance of such processing.
Where we rely on your consent as the lawful basis for processing (e.g., analytics cookies), you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. You can withdraw analytics cookie consent via the cookie settings link in the Site footer.
To exercise any of the rights above, please contact us at admin@gonogo.co.uk with enough information for us to identify you (we may ask for proof of identity before processing a request). You can also exercise some rights — such as updating your account details or deleting your account — directly within your account settings on the Site.
If you are dissatisfied with how we have handled your personal data or your rights request, you have the right to lodge a complaint with the ICO:
We encourage you to contact us in the first instance so that we have the opportunity to address your concern directly.
You may close your GoNoGo account at any time by contacting us at admin@gonogo.co.uk with your account email address and a request to delete your account. We will:
Note that once your data has been anonymised, it cannot be re-identified and is no longer subject to UK GDPR. Aggregated anonymised analytics data (e.g., in Google Analytics) may be retained as it contains no information that can be linked back to you.
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
No method of transmission over the internet or method of electronic storage is 100% secure. Whilst we strive to protect your personal data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, and notify you directly where required by law.
The Site is intended for use by adults and is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe that a child under 13 has provided us with personal data without your consent, please contact us at admin@gonogo.co.uk and we will take steps to delete the data as promptly as possible.
Users between the ages of 13 and 17 should ensure they have the permission of a parent or guardian before providing any personal data to us.
The Site may contain links to third-party websites, including the websites of brands featured on our platform. These websites have their own privacy policies and we have no responsibility for or control over their privacy practices. We encourage you to read the privacy policy of every website you visit.
We may in the future offer mobile applications (for iOS and/or Android) or other digital services. Any such services will be covered by this Privacy Policy, which will be updated prior to launch to describe any additional data collection practices — for example, device identifiers, push notification tokens, or location data — that are specific to a mobile environment. We will notify you of material changes in accordance with Section 20 below.
For ease of reference, the following table summarises the lawful basis for each category of processing:
The Site is operated from and directed primarily at users in the United Kingdom. If you are accessing the Site from outside the UK, please be aware that your data may be transferred to and processed in the UK and in the countries described in Section 10. By using the Site, you acknowledge that your data may be processed in these jurisdictions.
This Privacy Policy is governed by UK law. We do not make any specific representations regarding compliance with privacy laws outside the UK (such as GDPR, CCPA, or other regional privacy regulations). If you have specific questions about how your jurisdiction's laws apply to your use of our Site, please contact us.
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or the services we offer. When we make material changes, we will:
We encourage you to review this policy periodically. Your continued use of the Site after the effective date of any updated policy constitutes your acknowledgement of the changes. For material changes that affect processing for which we rely on your consent, we will seek fresh consent before processing begins.
If you have any questions, concerns, or requests relating to this Privacy Policy or our data processing practices, please contact us:
We aim to respond to all data protection enquiries within 5 working days. For formal rights requests under UK GDPR, we will respond within the statutory one-month period.
This policy was last reviewed and updated on 14 April 2026.