Trust & security

How Truely handles your data.

Plain-English summary of our security posture, who processes what, how long we keep things, and the UK consumer-law rights you have either way. Procurement teams looking for the deep technical detail should jump to the /api Compliance section or the full privacy policy.

The short version

  • We're a UK business processing data in the UK and EEA. Vercel (London/Dublin edge regions) and Supabase (UK eu-west-2) for application + data; Stripe (UK/EEA) for payments. No data leaves UK/EEA in normal operation.
  • The 25+ datasets we serve are UK public records under the Open Government Licence v3.0. They're not anyone's personal data and we're not a processor of personal data on your behalf for that content.
  • We're a controller for the small amount of personal data we hold about you — email, Stripe customer ID, saved postcodes, search history, API usage logs.
  • API keys are SHA-256 hashed at rest — we never store the plaintext. You see it once at creation.
  • Usage logs retained 30 days raw / 13 months aggregated. Used only for rate-limit accounting and abuse prevention.
  • No ads, no analytics SDKs, no third-party trackers — Vercel Web Analytics is cookie-free and aggregate-only.
  • UK consumer-law rights stay intact regardless of anything written here. See refunds and terms.

Last updated: .

1. Data residency

All Truely infrastructure runs in the UK and EEA. Specifically:

  • Application: Vercel Edge Functions, primarily routed via the London (lhr1) region. Failover to Dublin (dub1).
  • Database: Supabase, UK region (eu-west-2).
  • Payments: Stripe Payments Europe Ltd, UK + EEA regions. Card data never touches Truely's servers — it's submitted directly to Stripe.

No data leaves the UK/EEA in normal operation. The exceptions are: (a) Vercel's global edge network may serve cached HTML from non-UK edge nodes to improve latency for non-UK readers; cached HTML contains no personal data. (b) Stripe may transfer payment metadata to the US under the UK addendum to the EU-US Data Privacy Framework for fraud-prevention purposes.

2. Sub-processors

Under UK GDPR these are the third-party services that process data on Truely's behalf, under contract, for specific purposes. Adding a new sub-processor triggers a 30-day notice on this page.

Sub-processorPurposeRegionTheir privacy policy
Vercel Inc. Hosting + edge function execution + privacy-friendly analytics (cookie-free, aggregate-only). UK + EEA + US edge PoPs link
Supabase Inc. Postgres database + auth + REST API. UK (eu-west-2) link
Stripe Payments Europe Ltd Subscription billing + payment processing + invoice generation. UK + EEA link
Transactional email — to be selected Not yet contracted. Evaluating Resend and Postmark (both UK/EEA-based). Will be listed here before the first message is sent.
Anthropic Inc. (planned) Currently not a sub-processor. When the planned "Explain this postcode" Pro feature ships, Anthropic will process the postcode you're viewing (no personal identifiers) to generate the narrative summary. This page will be updated 30 days before the feature ships. US (with EU data residency option) link

3. What data we collect, and why

Truely is a free service for anyone, and a £15/month service for Pro subscribers. The data we collect tracks closely with what we need to operate either:

  • Email address — to sign you in (magic-link auth, no passwords stored). Also receives Stripe receipts if you're a Pro subscriber.
  • Saved postcodes (watchlist) — postcodes you've starred. Stored against your account so they appear when you sign in elsewhere.
  • Search history — the last 50 postcodes you've looked up. Used only to populate the "Recent" list on your account page. Cleared on request.
  • Stripe customer ID + subscription state — to identify your Pro entitlement and serve billing pages.
  • API usage logs (only if you use the Developer API) — timestamp, endpoint path, response status, your API key's visible prefix (not the full token), and bytes returned. Never the request body or query parameters beyond the postcode you queried.

We do not collect: your card number (Stripe holds that, PCI-DSS Level 1), your IP address beyond ephemeral request logging, your browser fingerprint, your location beyond what's in the postcode you typed, your name (unless you tell Stripe), or anything else.

4. How long we keep it

  • Account, watchlist, search history — until you delete your account, then immediately purged (subject to the legal exceptions below).
  • API usage logs (raw) — 30 days, then automatically deleted.
  • API usage aggregates (daily counts per key) — 13 months, for invoicing and analytics.
  • Billing records (paid invoices) — 6 years from invoice date, as required by HMRC for VAT-eligible records. Retained even if you delete your account — invoice-level personal data is replaced with a stable internal customer ID at deletion.
  • Consent records (cooling-off waiver) — 6 years from subscription start, as required by the Consumer Contracts Regulations 2013 reg 36 evidence-of-consent rule.

5. Security posture

  • HTTPS-only with HSTS preload. HTTP requests are 308-redirected. TLS 1.2 minimum, TLS 1.3 preferred. HTTP/2 across the entire edge.
  • Content Security Policy — strict CSP with no inline scripts (except for editorial inline styles), no eval, no third-party JavaScript beyond Leaflet (maps), Chart.js (graphs), Supabase JS, and Vercel Analytics. CSP source available in vercel.json on our public repo.
  • X-Frame-Options DENY — Truely cannot be embedded in an iframe, preventing click-jacking.
  • Row-Level Security on Supabase — every user-data table has RLS policies; you can only read/write your own rows. Service-role keys live in Vercel env vars only.
  • API keys SHA-256 hashed at rest. Plaintext shown once at creation, then never persisted by Truely.
  • Stripe webhook signature verification on every event — we use Stripe's library to verify Stripe-Signature against our STRIPE_WEBHOOK_SECRET before processing any payment-state change.
  • No third-party advertising, no Facebook Pixel, no Google Analytics, no fingerprinting library, no behaviour-tracking SDK.

6. Your rights under UK GDPR

You have the right to:

  • Access the personal data we hold about you — use the JSON export button on your account page, or email us.
  • Rectify inaccurate data — most account fields are editable; email for anything else.
  • Erase your data — one-click delete from your account page. Removes everything except HMRC-required billing records (with personal identifiers stripped) and the legally-required cooling-off-waiver consent record.
  • Restrict processing — pause our processing during a complaint. Email hello@truely.uk.
  • Object to processing — we have no "legitimate interest" processing you'd need to object to; we operate on contract (for paid subscribers) and consent (for the legacy Pro waitlist record, if you had one).
  • Portability — JSON export from your account.
  • Complain to the ICO at ico.org.uk if you think we've mishandled your data. We'd appreciate you emailing us first so we can fix the issue, but you're not required to.

7. Data Processing Agreement (DPA)

Available on request for:

  • API Team-tier and Enterprise subscribers,
  • any organisation deploying Truely API for business use where they need a controller-to-processor agreement under UK GDPR Article 28,
  • any consumer-tier subscriber who reasonably needs one (we'll sign a standard SCC-style DPA).

Email hello@truely.uk. Standard turnaround: one business day.

8. Reporting a security issue

If you find a vulnerability, please email hello@truely.uk with the details (URL, reproduction steps, screenshots if helpful). Encrypt to our PGP key if your finding is sensitive — key available on request. We respond to security reports within 24 hours and aim to remediate or disclose within 30 days of triage. We don't currently run a bug bounty, but we do publicly credit responsible disclosure on the changelog at /api if you'd like the recognition.

9. Where the legal detail lives

  • Privacy policy — the full UK GDPR-compliant detail, including third-party processors, retention periods, lawful basis per data type.
  • Terms of Service — the contract you accept when using Truely.
  • Refunds & Cancellation — UK CCR 2013 cooling-off rights, refund mechanics, material-failure scenarios.
  • Cookies — what we use (almost nothing — see the page for the detail).
  • API Compliance section — technical detail for procurement teams: data residency, sub-processors, log retention, transport security.

10. Contact

All trust, security, and compliance questions: hello@truely.uk. We respond within one business day and most queries are resolved the same day.