Privacy

Privacy Policy

Effective: 14 June 2026

This policy explains what personal data StripBack collects, why we collect it, who we share it with, and your rights under UK GDPR.

StripBack is a compliance tool for UK landlords, hospitality operators, and trades businesses. Currently operated as a sole trader by Jules Hitchcock, based in Plymouth, UK. We are the data controller for the personal data described below. Contact: hello@stripback.app.

What we collect

From you, directly

Email address — for account access and sending compliance alerts.
First name — used for personalised salutations in the app and emails.
Mobile phone number (optional) — for SMS alerts on red-tier (imminent) deadlines. Only used if you opt in.
Business profile — your business type (Property, Hospitality, or Trades), business structure (sole trader, limited, partnership), postcode, preferred language, and niche-specific details such as property count, trade type, or hospitality site count. We use these to tailor which regulations are relevant to where you operate and to personalise your daily brief.
Compliance reminders you set — certificate types (gas safety, EICR, EPC, etc.), due dates, and property labels.
Documents you upload to the Vault — PDFs and images of compliance certificates.
Contractor contact details for Auto-Chaser — names and email addresses of tradespeople you've assigned for certificate renewals, so we can email them on your behalf.
Feedback you submit — text you enter in the Feedback tab.

Automatically

Scanner usage counts — daily counts of scans for rate limiting. We do not retain the content of scanned documents beyond the AI processing call.
Session cookie — a signed cookie containing your email and an expiry timestamp, used to keep you logged in across visits. See "Cookies" below.
Error logs — when something goes wrong in the app, we capture the technical details to our error tracking service. Your email is attached so we can investigate.

From third parties

Stripe — confirmation that you've paid, plus billing email and subscription status. We never see or store your card details.

Why we collect it

We use your data only to provide the StripBack service: to send you compliance alerts, store your documents securely, monitor regulatory feeds for your niche, and contact your tradespeople on your behalf when you arm Auto-Chaser.

We do not sell your data. We do not use it for advertising. We do not share it for marketing purposes.

How we use AI

Artificial intelligence is central to how StripBack works. We use Anthropic's Claude to:

Write your personalised daily letter and tracker brief — generated each morning from your reminders, business profile, and compliance state, and stored to your account.
Translate new regulations into plain English for your niche and region.
Extract dates and details from documents you scan or upload.

To do this, your reminders, business profile (including postcode and niche), and document content are sent to Anthropic for processing. Anthropic does not use your data to train its models. AI output is best-effort and may contain errors — every regulatory summary links to its original source, and you should verify critical compliance information against that source (see our Terms). We also run an automated grounding check on the AI-written letters and briefs to catch unsupported claims before they reach you, though no AI system is perfect.

Marketing communications

We use your email to send transactional communications only: compliance alerts you've set, document share confirmations, billing notices, password-less login confirmations, and service announcements (e.g. planned maintenance, material changes to terms).

We do not send marketing emails or newsletters. If we ever introduce optional product updates or a newsletter, you will be asked to opt in explicitly. You can unsubscribe from transactional emails at any time, but doing so means you will no longer receive compliance alerts — defeating the purpose of the service.

Tradespeople contacted via Auto-Chaser

If a StripBack customer has set up Auto-Chaser with your contact details (for example, your customer named you as their gas engineer or electrician), we will send you emails on their behalf at 30, 14, and 7 days before each certificate expires, asking you to upload the renewed certificate via a secure link.

We process your name and email address (and optionally phone number for SMS, if our customer has Sentinel tier) only as needed to deliver these reminder emails. We do not share your details with other third parties, do not use them for marketing, and do not retain more than is needed for the customer relationship between you and them.

If you do not wish to receive these emails — or if you believe your details were added without your knowledge — email us at hello@stripback.app and we will:

Remove your details from the customer's Auto-Chaser configuration within 5 working days
Notify our customer that the chaser has been disabled for you
Confirm with you when this is complete

You have all the standard UK GDPR rights listed in "Your rights" below.

Lawful basis

We process your personal data under the following UK GDPR lawful bases:

Contract (Article 6(1)(b)) — for processing necessary to deliver the StripBack service you've subscribed to.
Legitimate interests (Article 6(1)(f)) — for error logging and product improvement, balanced against your right to privacy.
Consent (Article 6(1)(a)) — for optional SMS alerts (you provide your phone number knowing it will be used for this) and any future marketing communications.

Who we share it with

We use the following third-party processors to deliver the service. Each is bound by a data processing agreement with appropriate UK GDPR safeguards.

Service	What they process	Location
Vercel	Application hosting and serverless compute, including the scheduled jobs that generate your daily letter and tracker brief	EU (Dublin)
Supabase	Primary database and document storage	EU
Anthropic (Claude)	AI generation of your daily letter and tracker brief, plain-English regulatory summaries, and date extraction from scanned or uploaded documents — processing your reminders, business profile, and document content. Does not train on your data.	US
Resend	Transactional email delivery (alerts, document shares, Auto-Chaser emails)	EU/US
Twilio	SMS delivery for red-tier alerts (only if you've opted in)	UK/US
Stripe	Subscription billing and payment processing	UK/US
Sentry	Error tracking; your email is attached to captured errors for debugging	EU
Cloudflare	DNS, and landing-page hosting / CDN	Global edge

Where data is processed outside the UK, transfers are made under adequacy decisions or appropriate UK GDPR-recognised safeguards (Standard Contractual Clauses or equivalent).

How long we keep it

While you're an active subscriber — we keep all data necessary to deliver the service.
After cancellation — your account data is retained for 30 days, then permanently deleted. Billing records are retained for 6 years to meet UK tax requirements (anonymised where possible).
On request — we will delete your account and associated data within 7 working days of receiving your request at hello@stripback.app.
Email delivery logs — retained for 30 days by Resend per their standard retention.
Error logs — retained for 90 days by Sentry per their standard retention.

Cookies

StripBack uses one strictly-necessary cookie:

sb_session — keeps you logged in across visits. HMAC-signed, contains your email and an expiry timestamp, expires after 30 days. Required for the service to function — no consent banner is shown because strictly-necessary cookies are exempt from PECR consent requirements.

We do not use analytics cookies, marketing cookies, or any third-party tracking cookies. We do not run cross-site trackers.

Your rights under UK GDPR

You have the right to:

Access — request a copy of the personal data we hold about you
Rectify — correct anything inaccurate
Erase — request deletion of your account and associated data
Port — receive your data in a machine-readable format
Object — to how we process your data
Restrict — limit how we use your data
Withdraw consent — at any time, for processing that requires consent (e.g. SMS opt-in)

To exercise any of these rights, email hello@stripback.app. We will respond within 30 days.

If you believe we've mishandled your data, you can lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

Security

All data is transmitted over HTTPS. Documents in the Vault are encrypted at rest in Supabase Storage. The session cookie is HMAC-signed to prevent forgery. Access to our production systems is restricted to the operator (currently a sole individual) and is protected by two-factor authentication.

No system is perfectly secure. If we ever experience a personal data breach affecting you, we will notify you within 72 hours of becoming aware, as required by UK GDPR.

Children

StripBack is a business-to-business product not directed at people under 18. We do not knowingly collect personal data from children.

Changes to this policy

We may update this policy as our service evolves. When we do, we will update the effective date at the top. Material changes will be emailed to active subscribers.

Contact

For any privacy questions or to exercise your rights: hello@stripback.app.