Privacy Policy — UK Pension Compass

Overview

This planner is a personal finance tool. We collect the minimum data needed to run your retirement projections and save your scenarios between sessions. We do not sell data, serve ads, or track behaviour across other sites.

This policy applies to the web application at ukpensioncompass.co.uk and covers data collected through Google sign-in and scenario storage.

Financial disclaimer

UK Pension Compass is a planning and projection tool. It does not provide financial advice.

All projections are estimates based on the inputs you provide. They are not guaranteed and should not be relied upon as a forecast of actual outcomes.
Nothing in this application constitutes a personal recommendation or regulated financial advice within the meaning of the Financial Services and Markets Act 2000.
The tool does not recommend specific financial products, pension providers, investment funds, or drawdown strategies.
Annuity rates shown are illustrative only. Actual rates vary by provider, age, health, and market conditions at the time of purchase.
Tax calculations apply current UK tax rules (2025/26) and do not account for future legislative changes.

You should seek independent financial advice from a suitably qualified adviser before making any financial decisions. A list of regulated advisers can be found at unbiased.co.uk or via the FCA register.

What we collect and why

Your data falls into three categories:

Category	Fields	Why collected	Where stored	Retention
Contact & Identity	Full name, email address, Google user ID — provided automatically by Google sign-in	Authenticate you and associate your saved scenarios with your account	Supabase authentication database (encrypted at rest)	Until account deletion or 3 years of inactivity
Profile	First names, birth months/years, retirement ages, life expectancy, state pension details, plan type, tax regime, spending preferences, inflation rate	Configure the projection engine to your household's planning parameters	Supabase — AES-256-GCM encrypted; unreadable without application key	Until scenario deleted or 3 years of inactivity
Financial	DC pension accounts (values, contributions, growth rate, strategy); DB pension accounts (accrual rate, pensionable salary, scheme parameters); ISA, GIA, savings accounts (balances, contributions, rates, minimum floors, one-off withdrawals); work and property income; annuities; spending target and spending bands; one-off draws. Scenario names are stored separately in plaintext — do not put personal names or sensitive identifiers in scenario titles.	Run retirement projections and save up to 5 named scenarios for comparison	Supabase — AES-256-GCM encrypted; unreadable without application key. Scenario name stored in plaintext.	Until scenario deleted or 3 years of inactivity
Session token	Supabase JWT (contains user ID, email, role, expiry)	Keep you signed in between page loads without re-authenticating	Browser localStorage only — not transmitted to third parties	Expires after 1 hour; cleared on sign-out

We do not collect IP addresses, device identifiers, browsing history, financial account credentials, or National Insurance numbers.

How your data is used

Your scenario data is used solely to:

Run retirement projection calculations on our server (Supabase Edge Functions)
Return results to your browser session
Store up to 5 named scenarios at your request

Projection calculations are stateless — inputs are processed and the result returned; no calculation history is logged or retained.

Third-party services

Service	Role	Data shared
Google	Identity provider (OAuth sign-in)	Name, email, Google user ID — used only for authentication
Supabase	Backend database and serverless functions (data processor)	Google identity, encrypted scenario plans, session tokens
Cloudflare Pages	Static file hosting and CDN	Standard HTTP request metadata (IP, user-agent) — Cloudflare's own privacy policy applies
Google Fonts / jsDelivr / SheetJS CDN	Font and library delivery	Standard HTTP request metadata to load assets — no scenario data

Supabase stores data in EU data centres (specific region to be confirmed). See supabase.com/privacy.

Lawful basis for processing

We process your data under two lawful bases depending on the activity:

Performance of a contract (UK GDPR Art. 6(1)(b)) — storing your scenario plans, running retirement projections, and displaying scenario metadata are the core service you signed up for. Processing is necessary to deliver that service.
Legitimate interests (UK GDPR Art. 6(1)(f)) — authenticating your identity via Google OAuth is necessary to protect your data from unauthorised access. This does not override your privacy interests; you control sign-in at all times.

Your rights (UK GDPR / Data Protection Act 2018)

You have the right to:

Access — request a copy of the data we hold about you by emailing us; we will provide it within 30 days
Correction — edit your planning inputs directly in the app and re-save; contact us if you need help correcting account-level data
Erasure — delete your scenarios individually from the Scenarios panel; request full account deletion by contacting us
Portability — request a copy of your stored planning inputs in machine-readable (JSON) format by emailing us; we will provide them within 30 days
Restriction — where you contest the accuracy of your data or object to processing, you may request that we freeze all processing while the matter is resolved; email us to invoke this right
Object to processing — you may object to processing based on legitimate interests (your Google identity used for authentication); contact us and we will delete your account and all associated data within 30 days

To exercise any of these rights, email UKcompasspension+contact@gmail.com. We will respond within 30 days.

Right to complain: If you are unsatisfied with how we handle your data or a rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

Cookies and local storage

This app does not use tracking cookies. It stores one item in your browser's localStorage: a Supabase session token (JWT) used to authenticate API requests. This token is scoped to this app, expires after 1 hour, and is removed when you sign out.

No third-party advertising or analytics cookies are set.

Security

Scenario plans are encrypted with AES-256-GCM before being written to the database. The encryption key is derived from your user ID and a server-side secret; neither Supabase nor any third party can read your scenario data without the application key.

All data is transmitted over HTTPS. Session tokens are short-lived (1 hour TTL).

Security incidents

In the event of a personal data breach that is likely to affect your rights, we will notify the Information Commissioner's Office within 72 hours and inform affected users without undue delay. The nature of any breach, data categories involved, and steps taken will be disclosed as required by UK GDPR Arts. 33–34.

Marketing and communications

We do not send marketing emails, newsletters, or promotional communications. The only emails you may receive are transactional: account deletion confirmation, data inactivity warnings (see retention policy above), or responses to rights requests you have submitted.

If this ever changes, we will ask for your explicit consent first — an opt-in, not an opt-out.

Age restriction

This application is intended for use by persons aged 18 or over only. We do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has submitted data to us, please contact us and we will delete it promptly.

Business changes

In the unlikely event that UK Pension Compass is sold or transferred to a new owner, your personal data may transfer to the new controller as part of that transaction. If this occurs, you will be notified and your rights under UK GDPR will remain unaffected. Any new controller will be required to honour the commitments made in this policy.

Changes to this policy

If this policy changes materially, we will update the effective date above. Continued use of the app after a policy change constitutes acceptance of the updated terms.

Use of this application is also subject to our Terms of Use.

Contact

Data Controller: UK Pension Compass.

Questions about this policy or requests to exercise your data rights:

UKcompasspension+contact@gmail.com

ICO registration: ZC172526 · Business entity: to be formalised

You also have the right to lodge a complaint at any time with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. You can contact the ICO at ico.org.uk/make-a-complaint or by phone on 0303 123 1113.