Privacy Policy

Scenarios ("we", "us", "our") is operated by Scenarios Software Ltd, a company registered in England and Wales. We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The data controller is Scenarios Software Ltd (registered in England and Wales, Company No. 17046348), contactable at privacy@scenarios.uk. We are registered with the Information Commissioner's Office (ICO) under registration number ZC115276.

We collect the minimum data necessary to provide the service:

• Account data: email address, name (optional), and hashed password when you sign up. If you use Google sign-in, we receive your email and display name from the provider.

• Financial plan data: the retirement scenarios you create, including account balances, pension details, spending assumptions, and portfolio allocations. This data is stored to provide the service and is never shared with third parties.

• Subscription data: your plan tier (Free, Individual, or Household). Payment processing is handled entirely by Stripe — we do not store card numbers, bank details, or billing addresses.

• Technical data: anonymised usage analytics (page views, feature usage) to improve the product. We do not use advertising trackers or sell data to third parties.

• Marketing preferences: whether you have opted in to receive product update emails, and the date consent was given or withdrawn.

We process your data under the following lawful bases (UK GDPR Article 6):

• Contract (Art. 6(1)(b)): processing account and plan data is necessary to provide the Scenarios service you have signed up for.

• Legitimate interest (Art. 6(1)(f)): anonymised analytics help us improve the product. We have conducted a legitimate interest assessment and concluded this does not override your rights.

• Consent (Art. 6(1)(a)): Marketing emails are only sent to users who have explicitly opted in at signup or via their account settings (PECR Regulation 22).

Server-side: Your data is stored in Supabase, which uses AWS infrastructure in the EU (Frankfurt, eu-central-1). Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Database backups are encrypted and retained for 7 days. We do not transfer your data outside the UK/EEA.

Client-side: Your financial plan data is also stored locally on your device using your browser's localStorage. This allows the tool to work offline and reduces server load. Locally stored data remains on your device until you clear your browser data or delete it through the application. See section 6 for full details of client-side storage.

We do not sell, rent, or trade your personal data. We share data only with:

• Supabase (database hosting and authentication) — as a data processor under a Data Processing Agreement.

• Stripe (payment processing) — as an independent data controller for payment data. See Stripe's privacy policy.

• Sentry (error monitoring) — as a data processor. Receives technical error reports that may include IP addresses and browser metadata to help us diagnose and fix issues.

• Resend (email delivery) — as a data processor. Receives email addresses to deliver transactional and, where you have opted in, marketing emails on our behalf.

Under the Privacy and Electronic Communications Regulations (PECR), cookies, localStorage, and sessionStorage are all treated as storing information on your device. Scenarios uses these technologies only for purposes that are strictly necessary to provide the service you have requested:

• Authentication cookies: Supabase sets secure, HTTP-only session cookies to keep you logged in. These are deleted when you sign out.

• Plan storage (localStorage): your financial plan data is saved locally on your device so it persists between visits. For logged-in users this is also synced to our database. Clearing your browser data will remove locally stored plans.

• Session data (sessionStorage): temporary state such as in-progress onboarding data. This is automatically cleared when you close your browser tab.

• Account ID mapping (localStorage): a small mapping used to link your locally created plans to your server-side account when you sign up or log in.

We do not use advertising cookies, social media trackers, or third-party analytics cookies. Because all storage is strictly necessary to deliver the service you have requested, no cookie consent banner is required under PECR Regulation 6(4). However, we disclose all storage mechanisms here for full transparency.

We will only send you marketing emails (product updates, feature announcements, tips) if you have given explicit opt-in consent, in accordance with UK PECR (Regulation 22) and UK GDPR. Consent is collected via an unticked checkbox at signup and is separate from your agreement to our Terms of Service. We record who consented, when, and how.

You can withdraw your consent at any time by unchecking the preference in your Account & Billing settings or by clicking the unsubscribe link included in every marketing email. Withdrawal is effective immediately. Transactional emails (password resets, billing confirmations, security alerts) are not affected by your marketing preference — these are necessary to operate the service.

Under UK GDPR, you have the right to:

• Access your data — request a copy of everything we hold about you.

• Rectification — correct inaccurate personal data.

• Erasure — request deletion of your account and all associated data ("right to be forgotten").

• Portability — receive your plan data in a machine-readable format. Use the "Download My Data" button on your Account & Billing page for an instant JSON export, or export individual plans as CSV/PDF from the dashboard.

• Restriction — ask us to stop processing your data while a complaint is resolved.

• Object — object to processing based on legitimate interest.

Access and portability rights can be exercised directly from your Account & Billing page. For all other requests, email privacy@scenarios.uk. We will respond within 30 days.

We retain your account and plan data for as long as your account is active. If you delete your account, all personal data and saved plans are permanently deleted within 30 days. Anonymised analytics data (which cannot identify you) may be retained indefinitely.

Scenarios is not intended for use by anyone under 18. We do not knowingly collect data from minors. If we become aware that a user is under 18, we will delete their account and data.

We may update this policy from time to time. Material changes will be communicated via email to registered users. The "last updated" date at the top of this page reflects the most recent revision.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. We would appreciate the chance to address your concerns first — please contact us at privacy@scenarios.uk.