Retrofit Radar is operated as a sole-trader business based in the United Kingdom. Contact: hello@example.com.
Account data: name, email, profile image (from Google sign-in).
Usage data: searches you run, leads you save, exports you download, IP address, user-agent.
Billing data: handled by Polar.sh (our Merchant of Record) — we never see your full card details. Polar handles the card data, charges your card, and remits VAT.
We do NOT use third-party advertising trackers.
To run the service (authenticate you, deliver search results, process exports).
To communicate operationally (account notices, billing receipts, security alerts).
To improve the product (aggregated, de-identified usage analytics).
Property data on this platform comes from the UK EPC Register, Companies House, and HM Land Registry. These are public datasets published under open licences.
When you contact a property owner using addresses surfaced by Retrofit Radar, you become the controller for that downstream marketing. You must comply with PECR (the Privacy and Electronic Communications Regulations) and UK GDPR — we publish a short compliance primer in our help docs.
Application data: Cloudflare Workers (UK/EU edge) and Neon Postgres (eu-west-2, London).
Authentication: Better Auth running on our infrastructure.
Sub-processors: Cloudflare (Workers + AI Gateway, US/UK edge), Neon (Postgres, eu-west-2 London), Polar.sh (billing, Merchant of Record), Anthropic (LLM provider for AI-drafted outreach emails, US — transfers covered by the UK International Data Transfer Addendum to the EU SCCs; only the property fields you choose to draft for, no account data), Resend (transactional email delivery), Google (sign-in only).
Account data: kept while your account is active and for 30 days after deletion (recovery window), then erased.
Usage logs: 90 days, then aggregated.
Billing records: 7 years (HMRC requirement).
You can request access, correction, deletion, or export of your personal data at any time. Email hello@example.com — we respond within 30 days.
You can complain to the UK Information Commissioner’s Office (https://ico.org.uk) if you believe we have mishandled your data.
We use one cookie: the session cookie that keeps you signed in. It is HttpOnly, Secure, SameSite=Lax, and expires after 7 days of inactivity. We do not use marketing cookies.
Material changes are notified by email 14 days in advance. The latest version always lives at /privacy with a "last updated" date.