Privacy

We collect the minimum, and you can take it back any time.

You can browse most of Truely without an account at all. If you create one — for the watchlist, search history and the gated report sections — this page is the plain-English account of what we hold, why we hold it, and the two buttons in your account that let you export or delete it.

The short version

Anonymous browsing of public-record data isn't tracked. If you create an account, we hold your email, your name, and (optionally) the postcode you said you were interested in. While signed in we record what you search for and what you star, so the watchlist and history tabs work — those records are visible only to you.

Truely never sends marketing emails. We email you about your account (sign-in links, security notices, deletion confirmations) and — if you're a Pro subscriber — about your subscription (receipts, renewal reminders, failed-payment notices, cancellation confirmations). The one optional marketing opt-in on signup is the Pro waitlist — a single email when the paid tier launches.

If you subscribe to Truely Pro we share billing data with Stripe (our payment processor) so they can take your payment. Truely never sees or stores your card number. See Who can access it and the Stripe billing section below for the full detail.

We never sell, share or rent your data. There are two destructive controls on your account page: Download my data gives you a JSON copy of everything we hold, and Delete my account wipes the lot — irreversibly — within seconds.

Last updated: . (Updated to reflect Truely Pro and the use of Stripe as our payments processor.)

How we use your email — the short version

Truely never sends marketing emails. The only emails we send are:

  • Account-related notifications — sign-in links via magic link, security notices (e.g. a sign-in from a new device), and account deletion confirmations.
  • Pro launch announcement — one single email, sent only if you opted in to the Pro waitlist during signup, and only when the Pro tier goes live. One-click unsubscribe at any time.

Truely does not currently send any other communications and does not share your data with third parties for marketing or any other purpose. We may add user-initiated features in the future (e.g. partner referrals when you request a property-service quote on a postcode page) — at that point, we'll ask for your specific consent for that feature, not before.

You can change your Pro waitlist consent on your account page at any time.

What we collect

Only when you create an account, and only the fields the signup form asks for:

  • Email address. Required — it's how you sign in (we send a one-time magic link, no passwords) and how we'd reach you about your account.
  • Full name. Required — used to address you on the account page and in any email we send.
  • "I'm a…" role. Optional — homeowner, renter, buyer, investor, professional, curious. Helps us tune which sections to prioritise next; never shared.
  • Postcode of interest. Optional — if you give us one we'll seed your watchlist with it.
  • Pro waitlist consent. Optional checkbox — opt-in only. If ticked, we'll send you exactly one email when the Pro tier launches. We record the timestamp of your consent so we can prove it was opt-in. Withdrawable at any time on the account page.

While you are signed in we also record:

  • Search history. The postcodes you look up while signed in, with timestamps. Powers the "Search history" tab on your account.
  • Saved postcodes. The watchlist — postcodes you've starred from a report. Powers the "Watchlist" tab.

Searches you make while signed out are not recorded against any account. We don't run advertising trackers, fingerprinting, or session-recording on the site at all. We do use Vercel's privacy-friendly Analytics (no cookies, no cross-site tracking) to count page views — see the cookies page for details.

If you subscribe to Truely Pro we additionally store, alongside your free-tier account record:

  • Stripe customer ID and subscription ID. Random opaque strings issued by Stripe — they let us look up the subscription state of your account without storing card data.
  • Subscription status, plan, billing period, and next renewal date. So the account page can show you what you're paying for and when.
  • Billing email. The email Stripe sends your receipts to (which may be the same as your account email, or different if you set a different billing email at checkout).
  • Cancellation timestamp, if applicable. So we know when to revert your account to the free tier.
  • Cooling-off waiver flag. Whether you ticked the "start my Pro features immediately" checkbox at checkout — required for us to evidence the waiver under the Consumer Contracts Regulations 2013.

We do not store your card number, CVC, expiry date, or any other "payment instrument" data. Card data is handled exclusively by Stripe in a PCI-DSS Level 1 environment. We see only the last four digits of the card and the card brand, and only insofar as Stripe surfaces them on its customer portal — they are not stored in Truely's database.

Why we collect it

  • Account creation and sign-in. Email + name are the minimum to give you a stable sign-in identity. Magic links replace passwords entirely.
  • Account recovery. If you lose access to your inbox, the email on file is the route back in.
  • Watchlist + history. So that "the postcodes I care about" and "the things I just looked up" survive across visits and devices.
  • Pro subscription state. Stripe IDs, plan, renewal date and cancellation timestamp let us show you what you're paying for, unlock the Pro features for the right account, and stop billing when you cancel.
  • Cooling-off waiver flag. Required by the Consumer Contracts Regulations 2013 to evidence that you consented to start the digital service immediately.
  • Pro waitlist consent. The single opt-in on signup. It sits dormant until the Pro tier launches, at which point we send exactly one email if you ticked the box. Withdrawable from the account page.

Lawful basis under UK GDPR Article 6:

  • Contract (Article 6(1)(b)) — for account fields, watchlist and history (we can't run the account otherwise) and for all Pro subscription data (necessary to perform the subscription contract).
  • Legal obligation (Article 6(1)(c)) — for retention of invoice/receipt data for the period required by HMRC (currently six tax years).
  • Consent (Article 6(1)(a)) — for the Pro waitlist marketing opt-in. Withdrawable at any time from the account page.
  • Legitimate interest (Article 6(1)(f)) — for security logging, fraud prevention on the payment flow, and aggregate (non-identifying) page-view analytics. You can object by emailing hello@truely.uk.

Where it's stored

Your account record and everything attached to it live in a Supabase Postgres database hosted in the EU (Supabase's Frankfurt region). The site connects to it over HTTPS. Row-level security policies on every table enforce the rule that you can only ever read or change your own rows — even our anonymous public read path can't see another account's data.

Authentication tokens (the bit your browser uses after you click a magic link) live in your device's localStorage under the key truely.auth.v1 — they don't leave your device except to make signed requests back to Supabase.

Who can access it

You — through the account page. That's the operational answer.

Operationally, the same data is technically accessible to whoever holds the Supabase service-role key (currently one person, the operator of Truely) for support purposes. We don't use it to read accounts in normal operation; the only routine access is via the anonymous and authenticated keys, which are governed by the row-level security policies described above.

Third-party processors we use. Under UK GDPR these are our "processors" — they handle data on our written instructions, under contractual confidentiality and security obligations, and don't get to use your data for their own purposes:

  • Supabase — Postgres database hosting (EU, Frankfurt). Holds your account record, watchlist, search history and Pro subscription state. Privacy policy.
  • Stripe Payments Europe Ltd — payments processor for Truely Pro. Sees your name, email, billing address, and card details (which it stores under PCI-DSS Level 1); we don't. Stripe is also a controller in its own right for fraud-prevention and regulatory-compliance purposes. Privacy policy.
  • Vercel Inc. — hosting / CDN and privacy-friendly Analytics (Vercel Web Analytics: no cookies, no fingerprinting, no cross-site tracking; counts page views via hashed and salted IP for aggregate reporting only). Privacy policy.
  • Resend / our transactional-email provider — used only to deliver magic-link emails, receipt emails, renewal reminders and the optional Pro-waitlist email. They process your email and any text in the message; they don't get to use it for anything else.

International transfers. Supabase processes your data in the EU. Stripe processes payment data in the UK and EU and may transfer it to the US under the UK addendum to the EU-US Data Privacy Framework. Vercel's edge network is global; Vercel relies on Standard Contractual Clauses and the UK addendum for any transfer outside the UK/EEA. We don't make any other international transfer.

We don't share your data with advertisers, data brokers, or any third party for marketing. We don't run any third-party advertising analytics on the site. The only outbound calls when you use Truely are to the public-record sources used to build the report (postcodes.io, OpenStreetMap tile servers, the UK Parliament Members API) — those calls happen from your browser and never include your account identity.

We will also share your data if we are legally compelled to (e.g. a valid court order, search warrant, or HMRC information notice), or where strictly necessary to investigate or prevent suspected fraud or harm to users.

Stripe billing — the detail

When you start a Truely Pro subscription, the checkout is hosted by Stripe. The page you see is on Stripe's domain (checkout.stripe.com) — Truely sends Stripe the subscription plan you've chosen and the email on your Truely account, and Stripe collects your card details and (where required) a billing address directly from you. Truely doesn't see, store, or have any access to your card details.

After payment, Stripe redirects you back to Truely with a confirmation. We store the Stripe customer ID, subscription ID, plan, renewal date and cooling-off-waiver flag against your account (see What we collect). Stripe sends an email receipt from noreply@stripe.com. You can view, update, or cancel the subscription from your account page on Truely or from the Stripe-hosted customer portal we link to there.

Why we use Stripe. Stripe is the standard UK payments processor for small SaaS businesses. They handle PCI compliance, card storage, fraud detection, dispute management, SCA / 3D-Secure authentication, VAT calculation (where applicable) and tax invoicing. Doing any of those things in-house would expose your card data to a much larger surface area than is necessary.

Stripe's role under UK GDPR is partly as our processor (executing the payment on our instruction) and partly as an independent controller (for fraud prevention, regulatory reporting, and KYC). Their full privacy notice is at stripe.com/gb/privacy.

Your rights, and how to use them

UK GDPR gives you a fixed set of rights over the personal data we hold about you. The two we've made one-click on the account page cover the cases that come up in practice:

  • Right of access & data portability. Sign in → account → Download my data. Produces a JSON file with your profile, search history, saved postcodes, and email preferences. Importable anywhere that takes JSON.
  • Right to erasure ("right to be forgotten"). Sign in → account → Delete account tab → Delete my account, then type "delete" to confirm. We wipe the profile, watchlist, search history, email preferences, and the underlying authentication record in a single transaction.
  • Right to rectification. Email hello@truely.uk with the correction. (We don't currently expose an "edit profile" surface because the only structured field beyond email is your name.)
  • Right to restrict or object to processing. Email hello@truely.uk. In practice: untick everything on the email-preferences tab and we won't email you again; delete your account and we hold nothing.
  • Right to withdraw consent. Untick the "Send me a single email when Pro launches" toggle on the account page. Saves instantly. The corresponding consent timestamp is cleared at the same time.

For anything you can't do from the account page, write to hello@truely.uk. We aim to respond within the 30 days UK GDPR allows; usually faster.

You also have the right to complain to the UK Information Commissioner's Office (the ICO) if you think we have mishandled your data.

How long we keep it

  • Account data. Kept until you delete your account. There is no automatic expiry.
  • Deleted accounts. Removed from the live database immediately when you press the button. Any residual copy in the encrypted Supabase backup chain expires within 30 days.
  • Backups. Encrypted database backups are retained on a rolling 90-day window by Supabase. We don't read them; they exist for disaster recovery.
  • Server logs. Vercel keeps standard HTTP logs (IP, user-agent, request path) for the period set by their policy. We don't tie those logs to your account.
  • Billing records (Pro subscribers). Invoices, receipts, refunds and the associated metadata (Stripe customer ID, subscription ID, amounts, dates, country, VAT status) are retained for six tax years after the end of the tax year they relate to. This is a UK statutory requirement under HMRC's record-keeping rules; we cannot delete it earlier, even at your request. After six years, the records are deleted in the next routine purge. Stripe retains its own copy under its own retention policy.
  • Cooling-off waiver flag. Retained alongside the billing record, for the same six-year period, so that we can evidence consent to immediate digital service delivery under the Consumer Contracts Regulations 2013 if a dispute arises.

If you delete your account while a Pro subscription is active, the subscription is cancelled and your access reverts to the free tier at the end of the current billing period. The billing records associated with payments you've already made are retained per the bullet above; everything else is wiped.

Cookies and local storage

Truely sets no HTTP cookies of its own and runs no third-party analytics or advertising trackers. The minimal browser-side storage we do use is held in localStorage, never sent off-device by us, and used either to keep the site functional (auth) or to remember something you actively did (your recent searches). UK ICO and PECR treat localStorage similarly to cookies; the entries below all qualify as strictly necessary or user-initiated, so no consent banner is required — we still surface a one-time transparency notice. The three entries are:

  • Recent searches (truely.recent.postcodes) — the last five postcodes you've looked up, used to power the "Recent" row on the homepage.
  • Auth session (truely.auth.v1) — present only if you're signed in; contains the magic-link token your browser sends back to Supabase on each request.
  • Privacy notice flag (truely-notice-dismissed-v1) — a single value recording that you've seen the privacy banner.

All three are first-party. To wipe them in one click, hit Clear next to "Recent" on the homepage, or use your browser's "clear site data" tool. See our cookie policy for the full picture.

Children

Truely is not directed at children under 13 and we do not knowingly create accounts for them. If you believe a child has registered an account, write to hello@truely.uk and we will delete it.

Changes to this policy

We will update this page before any change to what we collect or process. Material changes (anything that would expand our processing) will trigger a homepage notice. The "last updated" date at the top of the page reflects the most recent revision.

Contact

Questions, corrections, deletion requests, or anything you want to raise about your data: hello@truely.uk. For a postal address, email first and we'll send the current one.