Privacy Policy

Thawly Ltd("Thawly", "we", "us") is a company registered in England and Wales (Company No. Registration details forthcoming). Registered office: Registration details forthcoming. ICO registration reference: Registration details forthcoming.

For privacy-related questions, contact privacy@thawly.co.uk.

This policy explains how we handle personal data when you visit thawly.co.uk, sign up for an account, or use the Thawly service.

Thawly is a B2B service. The companies you upload to Thawly are third-party business entities, not natural persons — see "What we do not store" below.

The personal data we hold is limited to:

• Account data managed by our authentication provider Clerk: your email address, name (if supplied), and organisation membership.
• Billing data managed by Stripe: a Stripe customer ID linked to your organisation. We do not store card numbers; Stripe handles all payment information.
• Usage logs and product telemetry needed to operate the service (e.g. timestamps of digest sends, error logs).

We also store data about businesses (not natural persons) that you upload or that we collect from public sources: company names, UK company registration numbers, deal values, lost dates, lost reasons, your internal notes, and signal data sourced from public UK business registries and licensed enrichment APIs.

Thawly is deliberately built so we do not collect contact-level personal data of third parties. Specifically, we do not store:

• Names, email addresses, phone numbers, or job titles of individuals at the companies you monitor.
• Salesperson contact records or CRM contact lists.
• Special category data (health, ethnicity, beliefs, etc.).

If your CSV upload contains contact-level fields, those columns are ignored on import and not persisted.

• Contract — to provide the service to paying and trial users (account creation, authentication, billing, sending digests).
• Legitimate interests — to monitor public-source business signals about the companies you have uploaded, to operate and secure the service, and to communicate service-related updates. We have assessed that this processing has minimal privacy impact because we deliberately exclude contact-level personal data.
• Legal obligation — to retain financial records as required by HMRC and Companies Act obligations.
• Consent — where required, e.g. optional marketing emails. You can withdraw consent at any time.

We use the following sub-processors to operate Thawly. Each is bound by a written data processing agreement.

• Clerk — authentication and user management
• Stripe — payment processing
• Resend — transactional email
• Anthropic — AI message drafting (Claude API)
• Supabase — database and storage (EU region)
• Vercel — application hosting
• Railway — background workers

See our Data Processing Addendum for the controller/processor framework that applies to customer data.

Customer data is hosted on Supabase's EU region. Application hosting is provided by Vercel; static assets are served via global CDN. Where data is transferred outside the UK or EEA — for example, to Anthropic for AI message drafting — we rely on the UK International Data Transfer Addendum, EU Standard Contractual Clauses, or equivalent safeguards.

• Account data is retained while your organisation has an active Thawly account, then deleted within 30 days of account closure (with backups purged within 90 days).
• Signal data tied to a deleted company is removed when the parent company record is deleted.
• Copy tokens (Claude-drafted messages cached for digest links) have a 90-day TTL and are purged automatically.
• Financial records may be retained for up to 7 years to meet HMRC requirements.

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request erasure ("right to be forgotten").
• Restrict or object to certain processing.
• Receive a portable copy of your data.
• Withdraw consent where processing is based on consent.

Most rights can be exercised directly in the app (settings, billing, export, delete). For anything else, email privacy@thawly.co.uk and we will respond within 30 days.

You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk) if you believe we have not handled your data lawfully.

Thawly uses only strictly necessary first-party cookies. We do not set advertising, marketing, or cross-site tracking cookies, and we do not load third-party analytics scripts on the marketing site or chat widget.

Under UK ICO guidance, cookies that are strictly necessary to deliver a service explicitly requested by the user are exempt from PECR consent gating. The cookies below all qualify under that exemption — none are used for analytics, profiling, or advertising.

Cookies we set

• tw_visitor_id — random UUID identifying the chat thread for the AskThawly support widget on thawly.co.uk.

  • Purpose: link follow-up messages to the same thread.
  • Lifetime: 90 days.
  • Classification: strictly necessary (PECR-exempt — the cookie identifies the chat thread for the feature itself, not analytics or advertising).

• __session (and related Clerk session cookies, e.g. __client, __clerk_db_jwt) — set by our authentication provider Clerk on app.thawly.co.uk.

  • Purpose: authenticate the signed-in user and maintain their session.
  • Lifetime: session (cleared on sign-out) plus short-lived refresh tokens.
  • Classification: strictly necessary.

• Stripe checkout cookies — set by Stripe only on Stripe-hosted checkout/billing pages when you start a paid subscription or open the customer portal.

  • Purpose: maintain the secure payment session and prevent fraud.
  • Lifetime: payment session.
  • Classification: strictly necessary.

We do not currently use any other product-analytics or advertising cookies. If we add an analytics tool in the future, this section will be updated and a cookie notice with a consent control will be presented before any non-essential cookies are set.

Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted to authorised personnel with multi-factor authentication. See our Security page for details.

We may update this policy from time to time. Material changes will be notified by email to account owners at least 30 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.

Questions, requests, or complaints: email privacy@thawly.co.uk.