WhoCalledLookup
Look up a number

Privacy policy

Last updated: 2026-06-29. This policy explains how WhoCalledLookup collects, uses, stores and protects information when you use the lookup service. It is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

Who we are

WhoCalledLookup is a free UK reverse-phone-lookup service operated by OmegaIT, a UK technology consultancy. OmegaIT is the data controller for personal data processed via this site. You can contact us at hello@whocalledlookup.co.uk for any privacy-related question, including subject-access requests and erasure requests.

What we log when you use the lookup

Every time you search a UK phone number on this site, the following metadata is written to our analytics database. We log the minimum required to keep the service stable, prevent abuse and improve editorial coverage:

  • The phone number you searched, normalised to E.164 format (e.g. +442079460000).
  • A salted SHA-256 hash of your IP address, truncated to 32 hex characters. The salt rotates monthly and is never logged with the hash, which makes the hash mathematically unreversible to a real IP after the salt rotates.
  • Your User-Agent string and Referer header, used to distinguish human visitors from automated traffic and to attribute referrals.
  • A two-letter country code derived from your IP at hash time (e.g. GB, IE) for aggregate analytics.
  • A coarse timestamp (rounded to the hour) and the URL of the page you were on when the lookup was triggered.

What we deliberately do not log

  • Your raw IP address. The hash is computed in memory and only the hash is written to disk.
  • Your name, email address, postal address or any account identifiers — we do not have user accounts.
  • Lookups initiated from your browser before the page loads. No client-side analytics tag fires on /lookup/* routes.
  • Cross-site behaviour. We do not embed third-party tracking pixels or fingerprinting scripts.
  • Sensitive personal data (special-category data under UK GDPR Article 9). The service is designed so that no special-category data is ever submitted.

Lawful basis for processing

Our lawful basis under UK GDPR Article 6(1)(f) is legitimate interests — namely, providing a free consumer-protection tool for identifying UK telephone callers, defending the service against abuse, and improving editorial coverage of public-interest topics (scam prevention, telecoms transparency). We have completed a Legitimate Interests Assessment which is available on request.

How long we retain logs

  • Lookup logs: 90 days, then aggregated and the row-level data deleted.
  • Aggregate analytics (counts per number, per day, per country): indefinite, but contains no personal data.
  • Salt-rotation history: 31 days, then erased.
  • AI internet check results: cached for 30 days per number, then re-fetched on the next lookup.

Community accounts

The community / discussion area uses a free magic-link sign-in: you enter your email, we send a single-use sign-in link, and clicking the link creates (or signs you in to) a community account. The data we hold for an account is deliberately minimal:

  • Email address — the canonical account identifier. Used only to send the sign-in link and any critical safety notice (e.g. policy update). Never used for marketing.
  • Display name — what appears next to your community posts. You choose it and can change it any time at /community/me.
  • Session token — a random opaque token stored in an HttpOnly cookie (wcl_community). Expires after 90 days of inactivity or when you sign out.
  • Single-use email tokens — the 30-minute magic-link tokens are deleted after use or expiry.

Sign-in emails are delivered via your configured SMTP provider (see “Third parties” below). To delete your community account, email hello@whocalledlookup.co.uk with the subject “Delete my community account” from the address you signed up with — we’ll action it within 7 days.

Consent management (CookieYes)

We use CookieYes, a Google-certified IAB TCF v2.2 Consent Management Platform, to collect and record your cookie preferences. CookieYes shows the consent banner you see on first visit, stores your choice in a first-party cookie (cookieyes-consent), and shares the standardised TCF consent string + Google Consent Mode v2 signals with our advertising vendor (Google AdSense) so they honour your choice automatically.

CookieYes is a UK-registered data processor (CookieYes Ltd, London) operating under a Data Processing Agreement with WhoCalledLookup. The full CookieYes privacy policy is at cookieyes.com/privacy-policy.

Advertising (Google AdSense)

WhoCalledLookup is funded by advertising served via Google AdSense (publisher ID ca-pub-2548809251185287). AdSense uses cookies and similar technologies to:

  • Show ads that fund the free lookup service (without ads we would need to charge for lookups).
  • Measure ad performance (impressions, clicks, viewability) so advertisers know whether their ads worked.
  • If you consented to personalised ads: select ads based on your interests as inferred by Google.
  • If you rejected personalised ads: show non-personalised ads only. AdSense is set to NPA mode for every page view from your browser, no behavioural profile is built from your visits, and ads are selected based only on the page content + general location (e.g. UK).

You can change your choice at any time by clicking the small “Cookie Settings” button that CookieYes (our consent management platform) injects into the bottom-left corner of every public page. Doing so re-opens the consent dialog so you can revoke or re-grant categories independently.

The Google Ads policy on personalised vs non-personalised advertising is at policies.google.com/technologies/ads. You can also opt out of personalised ads at the Google level for every site (not just this one) at adssettings.google.com and via the EDAA opt-out at youronlinechoices.eu.

Google AdSense’s own privacy policy (which applies to the processing Google does on top of our own logging) is at policies.google.com/privacy.

Cookies

WhoCalledLookup does not set its own analytics, advertising or fingerprinting cookies. The site does set a strictly-necessary session cookie used by the rate-limiter for the AI lookup endpoint; this cookie contains a random opaque token, no personal data, and expires when you close the browser tab. If we add advertising in future, ad-cookie consent will be requested via an IAB TCF v2.2 consent banner before any tracking cookie is set.

Third parties we share data with

  • OpenAI, L.L.C. — the AI internet check sends only the searched number (in E.164 format) to OpenAI’s Responses API for live web-search summarisation. OpenAI’s privacy policy applies to that processing — see openai.com/policies/privacy-policy. Data is processed under OpenAI’s standard zero-retention commercial terms.
  • Cloudflare, Inc. — provides DDoS protection, TLS termination and edge caching. Cloudflare may temporarily process IP addresses for security purposes; their privacy policy applies.
  • Hosting provider (UK). The site runs on UK-based virtual servers; raw access logs are retained by the host for 7 days for security purposes.

We do not sell, rent, lease or barter any data with any other party. We do not run an advertising data clean room or place any first-party identifier into a marketing graph.

International transfers

OpenAI processes data in the United States. Transfers to the US rely on the UK Extension to the EU-US Data Privacy Framework and on Standard Contractual Clauses (UK Addendum) where applicable. Cloudflare operates a global edge network; data processed at non-UK edges is governed by the same SCCs.

Your rights under UK GDPR

  • Access — request a copy of any personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete personal data where we have no overriding legitimate basis to retain it.
  • Restriction — ask us to suspend processing pending an investigation.
  • Objection — object to our legitimate-interests processing on grounds relating to your particular situation.
  • Portability — receive a structured copy of personal data you have provided to us.
  • Complaint to the ICO — lodge a complaint with the UK Information Commissioner’s Office at ico.org.uk/make-a-complaint.

Children’s data

WhoCalledLookup is a public-interest informational tool that is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has used the service, contact hello@whocalledlookup.co.uk and we will investigate and erase any associated logs.

Changes to this policy

Material changes are noted at the top of this page with a new “Last updated” date. Non-material changes (typos, clarifications) may be made silently. The current and historical versions are public — see our About page and the site’s public git history for the audit trail.

Contact

For any privacy question, including subject-access requests: hello@whocalledlookup.co.uk. For postal correspondence, contact OmegaIT via the address listed at https://omegait.im.