Privacy Policy

The data controller for your personal data is Truecast Ltd.. You can contact us at any time regarding this policy or your data:

• Email: privacy@truecast.org

For any request relating to your personal data (access, correction, deletion, portability, or objection), the above email address is the fastest route to a response.

We collect data in the following categories:

Account data

Your name and email address when you register, and your password in hashed form. If you sign in via a third-party identity provider we receive only the information that provider shares with us (typically name and email).

Financial data you upload

Excel, CSV, and PDF files you upload to the Service. These may contain financial statements, line items, and the assumptions and figures you enter or approve within the platform.

Usage data

Information about how you interact with the Service: pages visited, features used, actions taken (e.g., model generated, scenario created, export downloaded), timestamps, and error logs. This data is collected in aggregate and associated with your account.

Technical data

Your IP address, browser type and version, device type and operating system, and session identifiers. This is collected automatically when you access the Service.

Communications

If you contact us by email or through any support channel, we retain the content of that communication and your contact details.

Payment data

For paid plans, payment is processed by our third-party payment processor. We do not store full payment card numbers. We retain a reference to the transaction, plan type, and billing email.

We do not collect sensitive personal data (such as health data, biometric data, or data revealing racial or ethnic origin) and we ask that you do not upload any such data to the Service.

Under UK/EU GDPR, we must have a lawful basis for each processing activity. The table below sets out what we do with your data and the legal basis we rely on.

We do not use your financial data to train AI or machine learning models. Your uploaded financial statements and the models derived from them are used solely to provide the Service to you. They are never shared with other users or used to improve model outputs for third parties.

Account data

Retained for as long as your account is active. If you close your account, account data is deleted within 30 days, subject to legal hold obligations.

Financial data you upload

Retained for as long as you maintain an active account and the relevant model exists. You may delete individual models at any time, which removes the associated uploaded files and derived data. If you close your account, all uploaded financial data and derived models are deleted within 30 days.

Complete deletion on request

If you submit a verified deletion request, we will delete your personal data — including all backups — within 30 days. This is not a soft delete. We will confirm completion in writing.

Usage and technical data

Retained in aggregate for up to 24 months for product analytics purposes. Individual session logs are retained for 90 days.

Communications

Support emails and other correspondence are retained for 2 years unless you request earlier deletion.

Financial records (invoices, payment records)

Retained for 7 years in compliance with applicable accounting and tax obligations. We cannot delete these on request as they are subject to legal hold.

We do not sell your personal data. We share it only with the categories of third parties listed below, and only to the extent necessary to provide the Service.

Infrastructure and hosting

Our Service is hosted on Vercel (front-end delivery and serverless functions) and uses a self-hosted PocketBase database on private infrastructure. Both are subject to data processing agreements.

AI processing

Financial document classification and the AI Copilot feature use the OpenAI API. Data sent to OpenAI is processed under a data processing agreement. OpenAI does not use API inputs to train its models. We send only the minimum data necessary for each operation.

Payment processing

Paid subscriptions are processed by Stripe. Stripe receives your billing email and payment card details. We do not receive or store card numbers.

Email delivery

Transactional emails (account confirmation, password reset) are sent via a third-party email delivery provider.

Legal and regulatory

We may disclose data to law enforcement or regulatory bodies if required by law, court order, or to protect the rights and safety of our users or the public.

Under UK GDPR and EU GDPR, you have the following rights. To exercise any of them, contact us at privacy@truecast.org. We will respond within one calendar month. We may ask you to verify your identity before processing certain requests.

Right of access (Article 15)

You may request a copy of the personal data we hold about you and information about how it is processed.

Right to rectification (Article 16)

If any data we hold about you is inaccurate or incomplete, you may ask us to correct it.

Right to erasure (Article 17)

You may ask us to delete your personal data. We will comply unless we are required to retain it by law. See Section 4 for retention periods.

Right to restriction of processing (Article 18)

You may ask us to pause processing of your data in certain circumstances — for example, while you contest its accuracy.

Right to data portability (Article 20)

You may request a copy of your personal data in a structured, machine-readable format and ask us to transmit it to another controller where technically feasible.

Right to object (Article 21)

You may object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.

Right to withdraw consent

Where processing is based on your consent (e.g., marketing emails), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.

Right not to be subject to automated decision-making

We do not make decisions with legal or similarly significant effects about you using solely automated processing.

Some of our sub-processors (including OpenAI and Vercel) may process data in the United States. Where personal data is transferred outside the UK or European Economic Area, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission or the UK ICO
• Data processing agreements that bind sub-processors to equivalent data protection obligations

You may request details of the specific safeguards in place by contacting privacy@truecast.org.

We use a minimal number of cookies strictly necessary to operate the Service, including session cookies required for authentication. We do not use third-party advertising cookies or cross-site tracking technologies.

Session cookies

Set on login to maintain your authenticated session. Deleted when you sign out or after a period of inactivity.

Preference cookies

Used to remember your interface preferences (e.g., colour scheme). These persist across sessions.

You can control cookies through your browser settings. Disabling session cookies will prevent you from logging in to the Service.

We apply the following technical and organisational measures to protect your data:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest
• Access controls limiting staff access to personal data on a need-to-know basis
• Audit logging of access to sensitive data
• Hashed and salted password storage — we cannot recover your password
• Enforced HTTPS across all endpoints

No system is perfectly secure. If you believe your account has been compromised, please contact privacy@truecast.org immediately.

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account) and by posting a notice on the Service at least 14 days before the change takes effect.

Your continued use of the Service after a change takes effect constitutes acceptance of the updated policy. If you do not agree to a change, you may close your account before the effective date.

For any question about this policy or your personal data, contact us at: privacy@truecast.org.

If you are located in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you are located in the EU, you may contact your local Data Protection Authority.

We would, however, appreciate the opportunity to address your concern before you approach a supervisory authority.