Privacy Policy

1. Introduction

This Privacy Policy explains how Allocra Ltd ("Allocra", "we", "us", "our") collects, uses, and protects personal data when you visit allocra.co and any of our tool subdomains (together, the "Services"). It applies to the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

Allocra is privacy-first by design. We collect as little personal data as reasonably possible, and we do not sell it.

2. Who we are (the data controller)

Data controller

Allocra Ltd

Company number

17171921 (England & Wales)

Registered office

71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom

Privacy contact

privacy@allocra.co

ICO registration

Registered with the UK Information Commissioner's Office under registration number ZC130444.

3. What data we collect

3.1 Data you give us directly

• Account data (when user accounts launch) — email address, a securely hashed password, and an account identifier. We may also store basic preferences (e.g. base currency).
• Early access sign-ups — email address and any optional details you choose to submit so we can contact you about access.
• Correspondence — any information you include when you email us (for example at hello@allocra.co or privacy@allocra.co).

3.2 Data the Services generate automatically

• Security and operational logs — when you visit the site, our hosting and DNS providers (Vercel and Cloudflare) process limited request information (IP address, request time, user agent) for security, abuse prevention, and reliability. These logs are retained only for as long as is necessary for that purpose.
• Privacy-first analytics — we use Plausible Analytics to understand aggregate site usage (which pages are visited, which referrers send traffic, in-aggregate device-class). Plausible is cookie-free by design, does not use personal identifiers, and does not track you across sites or build advertising audiences. See §3.3.
• Essential cookies — see our Cookie Policy.

3.3 What we don't collect

• We do not run advertising or behavioural tracking. We do not load Google Analytics, Meta Pixel, or other cross-site trackers.
• We do not sell, rent, or trade your personal data.
• We do not profile users or build advertising audiences.

4. How we use your data, and our lawful basis

Under the UK GDPR, we must have a lawful basis for processing your personal data. Our uses and their lawful bases are:

• Providing an account (once accounts launch) and delivering the Services you sign up for — lawful basis: performance of a contract with you.
• Managing early access sign-ups and contacting you about access — lawful basis: consent (which you can withdraw at any time) and/or legitimate interests in operating a waitlist.
• Responding to your emails or enquiries — lawful basis: legitimate interests in handling correspondence; or performance of a contract where applicable.
• Security, fraud prevention, and keeping the site available — lawful basis: legitimate interests in protecting the Services.
• Meeting our legal and accounting obligations — lawful basis: compliance with a legal obligation.

5. Who processes your data on our behalf

We use a small number of carefully chosen service providers to run Allocra. They process personal data only on our instructions:

• Vercel Inc. — application hosting and deployment for allocra.co and our app subdomains. Processes IP addresses, request metadata, and any data submitted via our forms.
• Supabase Inc. — database, authentication, and storage. Stores account data, waitlist sign-ups, and other server-side records.
• Stripe, Inc. — payment processing for paid subscriptions (when paid plans launch). Processes payment-card data, billing email, and transaction metadata. Allocra does not see or store full card details — they are handled directly by Stripe under PCI DSS.
• Resend — transactional email delivery (account confirmations, password resets, billing notifications). Processes recipient email addresses and message content.
• Plausible Analytics — privacy-first, cookie-free site analytics. Processes a hashed IP for unique-visitor counting only; does not use personal identifiers and does not track across sites.
• Cloudflare, Inc. — DNS and edge network. Processes IP addresses and request metadata for routing, abuse prevention, and reliability.
• Fastmail Pty Ltd — email hosting for our @allocra.co addresses. Processes the contents of any correspondence you send us.
• IONOS / UK registrar — domain registration services.

Where these providers are located outside the UK, transfers are made under the UK's approved safeguards (adequacy regulations, the UK International Data Transfer Agreement, or equivalent Standard Contractual Clauses with the UK Addendum).

6. How long we keep data

• Account data — for as long as your account is active, plus up to 30 days after deletion (to allow reversal of accidental deletion and to complete cleanup), unless a longer period is required by law.
• Early access sign-ups — until you ask us to remove your email, or until we close the waitlist and migrate sign-ups, whichever is sooner.
• Email correspondence — typically up to 24 months from last contact, unless it is relevant to an ongoing matter.
• Security logs — typically up to 30 days, in line with our infrastructure provider's defaults.
• Records we are legally required to keep (e.g. accounting records) — for the period required by law.

7. Your rights

You have the following rights under UK data protection law. You can exercise any of them at any time by emailing privacy@allocra.co:

• Right of access — to request a copy of the personal data we hold about you.
• Right to rectification — to have inaccurate data corrected.
• Right to erasure — to have your data deleted, subject to legal retention requirements.
• Right to restriction — to restrict how we use your data in certain circumstances.
• Right to data portability — to receive your data in a structured, commonly used format.
• Right to object — to processing based on our legitimate interests.
• Right to withdraw consent — where processing is based on consent, without affecting earlier lawful processing.

We aim to respond to all rights requests within one calendar month. Most requests are free; we may charge a reasonable fee only where a request is manifestly unfounded or excessive, as permitted by law.

8. Complaints

If you believe we have mishandled your personal data, please contact us first at privacy@allocra.co so we can try to resolve it. You also have the right to lodge a complaint with the UK Information Commissioner's Office (the ICO) at ico.org.uk or by calling 0303 123 1113.

9. Security

We take reasonable technical and organisational measures to protect personal data — including TLS encryption in transit, password hashing, access controls, and keeping the attack surface small by not collecting data we don't need. No system can be guaranteed to be completely secure. If a personal data breach ever occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected users without undue delay, as required by law.

10. Children

The Services are not directed at children under 18, and we do not knowingly collect personal data from anyone under 18. If you believe we may hold data relating to a minor, please contact us so we can delete it.

11. Changes to this policy

We will update this policy from time to time — for example when a new tool, feature, or provider is introduced. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email.

12. Contact

For any privacy question or to exercise your rights, email privacy@allocra.co or write to:

Privacy — Allocra Ltd
71-75 Shelton Street
Covent Garden
London WC2H 9JQ
United Kingdom