Privacy Policy

Last updated: February 2026

1. Who we are

Thresholdy ("we", "us", "our") is a UK-based sole trader product operated under the domain thresholdy.co.uk.

We are the data controller for personal data processed through this service.

You can contact us regarding data matters at legal@thresholdy.co.uk.

2. What data we collect and why

Waitlist signups

Data: Email address.
Purpose: To notify you when Thresholdy launches or when your early access is ready.
Legal basis: Consent (Article 6(1)(a) UK GDPR).
Retention: Until you unsubscribe or request deletion, or 24 months from signup if no account is created.

Account registration

Data: Email address, name (if provided), authentication credentials managed by Clerk.
Purpose: To create and manage your account and authenticate your access to the service.
Legal basis: Contract (Article 6(1)(b) UK GDPR) — necessary to provide the service you signed up for.
Retention: For the lifetime of your account, plus 30 days after deletion to allow recovery.

Stripe API key

Data: Your Stripe restricted API key, stored encrypted using AES-256-GCM encryption. The plaintext key is never stored and is only decrypted in server memory when needed to fetch your transaction data.
Purpose: To read your transaction history from Stripe on your behalf and calculate your VAT position.
Legal basis: Contract (Article 6(1)(b) UK GDPR).
Retention: Until you disconnect your Stripe account or delete your Thresholdy account.

Transaction data

Data: Transaction amounts (in GBP), dates, customer country codes, currency, Stripe charge IDs, and transaction descriptions as returned by Stripe.
Purpose: To calculate your rolling 12-month VAT threshold position and provide the dashboard reporting features.
Legal basis: Contract (Article 6(1)(b) UK GDPR).
Retention: Rolling 12-month window, refreshed on each sync. Deleted when your account is deleted.

Support tickets

Data: Name, email address, and message content submitted via the support form.
Purpose: To respond to your support request.
Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR) — providing customer support.
Retention: 2 years from submission date.

Analytics and usage data

Data: Page views, referring URLs, browser type, country, and device type. No personally identifiable information is collected. No cookies are used for analytics.
Purpose: To understand how the service is used and improve it.
Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR).
Provider: Vercel Analytics (cookieless, no consent required).

3. Who we share data with

We do not sell your data. We share it only with the following third-party service providers who process it on our behalf:

Clerk

Authentication and user account management

USA (Standard Contractual Clauses apply) · Privacy policy

Supabase

Database hosting for transaction data, settings, and support tickets

EU (AWS eu-west-2) · Privacy policy

Vercel

Hosting, deployment, and cookieless analytics

USA (Standard Contractual Clauses apply) · Privacy policy

Stripe

Payment processing for your Thresholdy subscription (not your customers' Stripe data)

USA (Standard Contractual Clauses apply) · Privacy policy

4. International data transfers

Some of our service providers are based outside the UK (primarily the USA). Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) approved by the ICO.

5. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Ask us to correct inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data. You can delete your account from Settings, which removes all stored data within 30 days.
  • Right to data portability: Request your transaction data in a machine-readable format (CSV export is available directly in the dashboard).
  • Right to restrict processing: Ask us to limit how we use your data in certain circumstances.
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at legal@thresholdy.co.uk. We will respond within one calendar month.

You also have the right to lodge a complaint with the ICO: ico.org.uk · 0303 123 1113.

6. Security

We take reasonable technical and organisational measures to protect your data. Stripe API keys are encrypted at rest using AES-256-GCM. All data is transmitted over HTTPS. Access to production databases is restricted to authorised personnel only.

No method of transmission or storage is 100% secure. If you believe your data has been compromised, contact us immediately at legal@thresholdy.co.uk.

7. Cookies

Thresholdy uses a small number of strictly necessary cookies set by Clerk to manage your authenticated session. These are essential for the service to function and do not require your consent under UK PECR.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Our analytics provider (Vercel Analytics) is cookieless.

8. Changes to this policy

We may update this policy periodically. Material changes will be notified to registered users by email. The "last updated" date at the top of this page always reflects the most recent version.

9. Contact

For any privacy-related questions or data requests: legal@thresholdy.co.uk