Privacy Policy

Last updated: March 2026

1. Who we are

Thresholdy ("we", "us", "our") is a UK-based sole trader product operated under the domain thresholdy.co.uk.

We are the data controller for personal data processed through this service.

You can contact us regarding data matters at legal@thresholdy.co.uk.

2. What data we collect and why

Account registration

Data: Email address, name (if provided), authentication credentials managed by Clerk.
Purpose: To create and manage your account and authenticate your access to the service.
Legal basis: Contract (Article 6(1)(b) UK GDPR) — necessary to provide the service you signed up for.
Retention: For the lifetime of your account, plus 30 days after deletion to allow recovery.

Stripe API key

Data: Your Stripe restricted API key, stored encrypted using AES-256-GCM encryption. The plaintext key is never stored and is only decrypted in server memory when needed to fetch your transaction data.
Purpose: To read your transaction history from Stripe on your behalf and calculate your VAT position.
Legal basis: Contract (Article 6(1)(b) UK GDPR).
Retention: Until you disconnect your Stripe account or delete your Thresholdy account.

Transaction data

Data: For each transaction imported from Stripe, PayPal, Gumroad, Ko-fi, or Lemon Squeezy, we store: transaction amount (in original currency and GBP equivalent), date, 2-letter ISO customer country code, currency code, a transaction or order identifier, and a product or payment description. For Stripe we also store the pseudonymous Stripe Customer ID (cus_xxx) and charge ID (ch_xxx). We do not store customer names, email addresses, or any other personally identifiable information about your customers.
Purpose: To calculate your rolling 12-month VAT threshold position, EU OSS liability by country, and provide the dashboard reporting and CSV export features.
Legal basis: Contract (Article 6(1)(b) UK GDPR).
Retention: Stored for the lifetime of your account. Deleted when your account is deleted.

Support tickets

Data: Name, email address, and message content submitted via the support form.
Purpose: To respond to your support request.
Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR) — providing customer support.
Retention: 2 years from submission date.

Analytics and usage data

Data: Page views, referring URLs, browser type, country, and device type. No personally identifiable information is collected. No cookies are used for analytics.
Purpose: To understand how the service is used and improve it.
Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR).
Provider: Vercel Analytics (cookieless, no consent required).

3. Who we share data with

We do not sell your data. We share it only with the following third-party service providers who process it on our behalf:

Clerk

Authentication and user account management

USA (Standard Contractual Clauses apply) · Privacy policy

Supabase

Database hosting for transaction data, settings, and support tickets

EU (AWS eu-west-2) · Privacy policy

Vercel

Hosting, deployment, and cookieless analytics

USA (Standard Contractual Clauses apply) · Privacy policy

Stripe

Payment processing for your Thresholdy subscription (not your customers' Stripe data)

USA (Standard Contractual Clauses apply) · Privacy policy

4. International data transfers

Some of our service providers are based outside the UK (primarily the USA). Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) approved by the ICO.

5. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Ask us to correct inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data. You can delete your account from Settings, which removes all stored data within 30 days.
  • Right to data portability: Request your transaction data in a machine-readable format (CSV export is available directly in the dashboard).
  • Right to restrict processing: Ask us to limit how we use your data in certain circumstances.
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at legal@thresholdy.co.uk. We will respond within one calendar month.

You also have the right to lodge a complaint with the ICO: ico.org.uk · 0303 123 1113.

6. Security

We take reasonable technical and organisational measures to protect your data. Stripe API keys are encrypted at rest using AES-256-GCM with a per-key random initialisation vector. All data is transmitted over HTTPS. Our database enforces Row Level Security (RLS) so that each user's data is isolated and cannot be accessed by other users. Access to production infrastructure is restricted to authorised personnel only.

No method of transmission or storage is 100% secure. If you believe your data has been compromised, contact us immediately at legal@thresholdy.co.uk.

7. Cookies

Thresholdy uses a small number of strictly necessary cookies set by Clerk to manage your authenticated session. These are essential for the service to function and do not require your consent under UK PECR.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Our analytics provider (Vercel Analytics) is cookieless.

8. Changes to this policy

We may update this policy periodically. Material changes will be notified to registered users by email. The "last updated" date at the top of this page always reflects the most recent version.

9. Contact

For any privacy-related questions or data requests: legal@thresholdy.co.uk