Privacy Policy

Outpost Limited (“Outpost”) is the data controller for all personal data processed through the outpost.tools website and connected applications. Our registered office is in the United Kingdom and we comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation, and the Data Protection Act 2018.

You can contact our Data Protection lead at privacy@outpost.tools.

We collect only the data we genuinely need to provide our service:

• Account data: email address, country, and (for paid plans) billing information processed by Stripe
• Property queries: the addresses, postcodes, and listing URLs you analyse
• Report metadata: the reports we generate are linked to your session and (for logged-in users) your account
• Technical data: IP address, browser type, device type, and pages visited — collected via privacy-friendly analytics
• Communications: if you email us, we store the messages so we can respond and improve the service

Under UK and EU GDPR we process your data on the following lawful bases:

• Contract: to provide the analysis service you requested and to administer your subscription
• Legitimate interests: to improve our product, prevent fraud, and secure our infrastructure
• Consent: for optional marketing emails and non-essential cookies — withdrawable at any time
• Legal obligation: for tax, accounting, and regulatory compliance

• Account data: for the lifetime of your account, plus 30 days after account closure
• Property reports: for 12 months after generation, then automatically anonymised
• Billing records: for 7 years to comply with UK tax law
• Marketing list: until you unsubscribe (one-click in every email)
• Analytics: aggregated and anonymised after 90 days

You have the following rights regarding your personal data. Most can be exercised directly from your account; for the rest, email privacy@outpost.tools and we will respond within 30 days.

• Right of access: request a copy of the data we hold about you
• Right to rectification: correct inaccurate or incomplete data
• Right to erasure (“right to be forgotten”): request that we delete your data
• Right to restrict processing: ask us to limit how we use your data
• Right to data portability: receive your data in a machine-readable format
• Right to object: object to processing based on legitimate interests, including marketing
• Right to withdraw consent: at any time, without affecting prior processing
• Right to lodge a complaint: with the UK Information Commissioner’s Office (ico.org.uk) or your local supervisory authority

To deliver the service we use a small number of carefully chosen sub-processors. Each is bound by GDPR-compliant Data Processing Agreements.

• Vercel Inc. — hosting and edge infrastructure (USA, with EU data residency where available)
• Supabase Inc. — database and authentication (EU region)
• Stripe Inc. — payment processing (USA, Standard Contractual Clauses in place)
• Resend Inc. — transactional and marketing email (EU region)
• Google LLC — Gemini AI model for narrative generation (USA, no personal data is sent to the model)
• OpenStreetMap Foundation — geocoding (UK, no account data shared)

Where we transfer personal data outside the UK or European Economic Area — for example to our US-based hosting and AI providers — we rely on UK-approved Standard Contractual Clauses, the EU’s Standard Contractual Clauses, and the UK-US Data Bridge where applicable. We carry out a Transfer Impact Assessment for each sub-processor.

We protect personal data using industry-standard measures including TLS encryption in transit, AES-256 encryption at rest, hashed passwords, scoped API keys stored in encrypted environment variables, principle-of-least-privilege access controls, and regular security reviews. In the unlikely event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours where required by law.

Outpost is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be communicated via email and a notice on the site at least 14 days before they take effect.

For any privacy-related queries, requests, or complaints, please contact:

Outpost Limited — Data Protection
privacy@outpost.tools