WhoCalledLookup
Look up a number

Privacy policy

Last updated: 2026-05-15. This policy explains how WhoCalledLookup collects, uses, stores and protects information when you use the lookup service. It is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

Who we are

WhoCalledLookup is a free UK reverse-phone-lookup service operated by OmegaIT, a UK technology consultancy. OmegaIT is the data controller for personal data processed via this site. You can contact us at hello@whocalledlookup.co.uk for any privacy-related question, including subject-access requests and erasure requests.

What we log when you use the lookup

Every time you search a UK phone number on this site, the following metadata is written to our analytics database. We log the minimum required to keep the service stable, prevent abuse and improve editorial coverage:

  • The phone number you searched, normalised to E.164 format (e.g. +442079460000).
  • A salted SHA-256 hash of your IP address, truncated to 32 hex characters. The salt rotates monthly and is never logged with the hash, which makes the hash mathematically unreversible to a real IP after the salt rotates.
  • Your User-Agent string and Referer header, used to distinguish human visitors from automated traffic and to attribute referrals.
  • A two-letter country code derived from your IP at hash time (e.g. GB, IE) for aggregate analytics.
  • A coarse timestamp (rounded to the hour) and the URL of the page you were on when the lookup was triggered.

What we deliberately do not log

  • Your raw IP address. The hash is computed in memory and only the hash is written to disk.
  • Your name, email address, postal address or any account identifiers — we do not have user accounts.
  • Lookups initiated from your browser before the page loads. No client-side analytics tag fires on /lookup/* routes.
  • Cross-site behaviour. We do not embed third-party tracking pixels or fingerprinting scripts.
  • Sensitive personal data (special-category data under UK GDPR Article 9). The service is designed so that no special-category data is ever submitted.

Lawful basis for processing

Our lawful basis under UK GDPR Article 6(1)(f) is legitimate interests — namely, providing a free consumer-protection tool for identifying UK telephone callers, defending the service against abuse, and improving editorial coverage of public-interest topics (scam prevention, telecoms transparency). We have completed a Legitimate Interests Assessment which is available on request.

How long we retain logs

  • Lookup logs: 90 days, then aggregated and the row-level data deleted.
  • Aggregate analytics (counts per number, per day, per country): indefinite, but contains no personal data.
  • Salt-rotation history: 31 days, then erased.
  • AI internet check results: cached for 30 days per number, then re-fetched on the next lookup.

Cookies

WhoCalledLookup does not set its own analytics, advertising or fingerprinting cookies. The site does set a strictly-necessary session cookie used by the rate-limiter for the AI lookup endpoint; this cookie contains a random opaque token, no personal data, and expires when you close the browser tab. If we add advertising in future, ad-cookie consent will be requested via an IAB TCF v2.2 consent banner before any tracking cookie is set.

Third parties we share data with

  • OpenAI, L.L.C. — the AI internet check sends only the searched number (in E.164 format) to OpenAI’s Responses API for live web-search summarisation. OpenAI’s privacy policy applies to that processing — see openai.com/policies/privacy-policy. Data is processed under OpenAI’s standard zero-retention commercial terms.
  • Cloudflare, Inc. — provides DDoS protection, TLS termination and edge caching. Cloudflare may temporarily process IP addresses for security purposes; their privacy policy applies.
  • Hosting provider (UK). The site runs on UK-based virtual servers; raw access logs are retained by the host for 7 days for security purposes.

We do not sell, rent, lease or barter any data with any other party. We do not run an advertising data clean room or place any first-party identifier into a marketing graph.

International transfers

OpenAI processes data in the United States. Transfers to the US rely on the UK Extension to the EU-US Data Privacy Framework and on Standard Contractual Clauses (UK Addendum) where applicable. Cloudflare operates a global edge network; data processed at non-UK edges is governed by the same SCCs.

Your rights under UK GDPR

  • Access — request a copy of any personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete personal data where we have no overriding legitimate basis to retain it.
  • Restriction — ask us to suspend processing pending an investigation.
  • Objection — object to our legitimate-interests processing on grounds relating to your particular situation.
  • Portability — receive a structured copy of personal data you have provided to us.
  • Complaint to the ICO — lodge a complaint with the UK Information Commissioner’s Office at ico.org.uk/make-a-complaint.

Children’s data

WhoCalledLookup is a public-interest informational tool that is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has used the service, contact hello@whocalledlookup.co.uk and we will investigate and erase any associated logs.

Changes to this policy

Material changes are noted at the top of this page with a new “Last updated” date. Non-material changes (typos, clarifications) may be made silently. The current and historical versions are public — see our About page and the site’s public git history for the audit trail.

Contact

For any privacy question, including subject-access requests: hello@whocalledlookup.co.uk. For postal correspondence, contact OmegaIT via the address listed at https://omegait.im.