Privacy policy.

This page explains what personal data we collect, why we collect it, what we do with it, and what rights you have over it. We've kept it as short and plain as we can. If anything's unclear, email us and we'll explain it properly.

01Who we are

The Investing Couple is operated by Oliver Hayes, a sole trader based in the UK. For the purposes of UK GDPR, Oliver Hayes is the data controller for any personal data collected through this website.

Postal address: Oliver Hayes, Unit 167509, PO Box 7169, Poole, BH15 9EL.
Email: access@theinvestingcouple.co.uk
ICO registration number: ZC151596

02What data we collect

We only collect what we actually need. That's:

• Your email address - if you buy The Starting Line, we use it to send your unlock code and any future updates to the course.
• Payment information - handled entirely by Stripe. We never see or store your card details. We only receive a confirmation that your payment was successful, plus your email and the country your card was issued in.
• A unique customer code - generated when you pay, stored on our side so the course knows you've unlocked it.
• Basic technical data - your browser type and the pages you visit, logged by our hosting provider (Netlify) for security and to keep the site running. This is standard server log data and isn't used to identify you personally.

We use Google Analytics to understand how people use the site - pages visited, time spent, general location (country level). This only runs if you accept cookies when the banner appears. If you decline, no analytics data is collected. See section 09 for full details.

We use an automated Instagram feature through Linktree. If you comment a specific keyword on one of our Instagram posts, you will automatically receive a direct message containing a link to subscribe to our free email course. Linktree processes your Instagram username to send this message. We receive anonymous click data showing how many times the subscription link is tapped — no personally identifiable information is attached to this. This feature operates through Meta's (Instagram's) platform and is subject to their terms.

03Why we collect it

Three reasons, all of them practical:

• To deliver what you've paid for. If you buy the course, we need your email to send your access code. That's a contractual obligation (UK GDPR Article 6(1)(b)).
• To run the site. Standard server logs let us spot problems and protect against abuse. Legitimate interest (Article 6(1)(f)).
• To meet our legal obligations. UK tax law requires us to keep records of sales for six years.

04Who we share it with

We use three companies to run the business. Each one only sees the data they need to do their job.

• Stripe - processes your payment. Their privacy policy is at stripe.com/gb/privacy.
• Resend - sends transactional and marketing emails on our behalf, including course confirmation emails, the 30 Days to Invested email series, and our monthly newsletter. Resend is a US-based company and stores data on servers in the United States. Transfers from the UK to the US are covered by Standard Contractual Clauses and the UK Extension to the EU-US Data Privacy Framework. Their privacy policy is at resend.com/legal/privacy-policy and their Data Processing Addendum is at resend.com/legal/dpa.
• Netlify - hosts the website and stores customer codes. Their privacy policy is at netlify.com/privacy.
• Google Analytics (Google LLC) - if you accept cookies, anonymised usage data (pages visited, session duration, approximate location) is sent to Google. Their privacy policy is at policies.google.com/privacy. This only applies if you consent.
• Linktree - powers our Instagram keyword auto-DM feature. When you comment a keyword on our Instagram posts, Linktree processes your Instagram username to send you a direct message. Anonymous click data is also collected. Their privacy policy is at linktr.ee/s/privacy.
• Meta (Instagram) - the platform through which our Instagram automation operates. Meta processes data in accordance with their own privacy policy at privacycenter.instagram.com/policy.

All providers are reputable with their own GDPR compliance. We don't sell, rent or share your data with anyone else. Not for marketing, not for anything.

05Where your data lives

Stripe stores data within the EU and UK. Netlify stores data globally including in the US, under the UK extension of the EU-US Data Privacy Framework. Resend stores data in the United States, with transfers from the UK covered by Standard Contractual Clauses and the UK Extension to the EU-US Data Privacy Framework. All transfers outside the UK are covered by appropriate safeguards as required by UK GDPR.

06How long we keep it

• Sales records (your email, purchase date, payment confirmation): six years, as required by HMRC.
• Unlock codes: kept while your access is active. Your access is lifetime, so we keep these indefinitely unless you ask us to delete them.
• Server logs: typically 30 days, depending on Netlify's retention policy.

07Your rights

Under UK GDPR you have the right to:

• Access the data we hold about you.
• Correct anything that's wrong.
• Delete your data (subject to our legal obligation to keep sales records for six years).
• Restrict how we use it.
• Object to us processing it.
• Receive a copy of your data in a portable format.
• Withdraw consent at any time, where we're relying on consent.

To exercise any of these, email access@theinvestingcouple.co.uk. We'll respond within 30 days, usually much faster.

08Complaints

If you think we've handled your data badly, we want to know first so we can fix it. But you're also entitled to complain to the Information Commissioner's Office at ico.org.uk or on 0303 123 1113.

09Cookie Policy

A cookie is a small text file stored in your browser when you visit a website. Some cookies are essential for a site to work. Others are optional and used for things like analytics. Here's exactly what we use and why.

Essential - no consent needed

These are necessary for the site to function and are set automatically.

Analytics - only with your consent

These cookies are only set if you click "Accept" on the cookie banner. If you click "Reject", none of these are loaded.

Managing your preferences

You can change your cookie preference at any time by clearing your browser's localStorage and reloading the page - the consent banner will reappear. In Chrome: Settings → Privacy and security → Clear browsing data → Cached images and files. In Safari: Settings → Advanced → Website Data → Remove All. Most browsers also have a built-in cookie manager under their privacy settings.

What we don't use

We do not use advertising cookies, social media tracking pixels, remarketing cookies, or any cookie designed to follow you across other websites. We don't run ads and we don't share data with advertisers.

10TIC Tracker

The TIC Tracker (tracker.theinvestingcouple.co.uk) is a separate web application for personal finance tracking. Because it handles more sensitive data than the main website, it has its own dedicated section here.

What data the tracker collects

When you create a TIC Tracker account, the following data may be collected and stored depending on what features you use:

• Name and email address (for account creation and authentication)
• Pay day date and pay cycle preferences
• Account balances (current accounts, savings, ISAs, pensions, investments)
• Income information (salary, additional income sources)
• Bills and recurring payments (names, amounts, due dates)
• Budget categories and spending limits
• Savings goals and debt payoff progress
• Quick spends and quick income (amounts, notes, categories)
• Debt information (lender names, balances, APR, monthly payments)
• Net worth history
• Notification preferences

Data structure and pseudonymisation

Your financial data is stored under a randomly generated unique identifier (UUID) — not your name or email address. The tables containing your balances, income, bills, debts and goals contain only this UUID, with no directly identifiable information attached.

Linking your financial data to your identity requires a deliberate cross-reference to a separate authentication table. This means that casually browsing the database does not reveal whose data is whose. This approach — known as pseudonymisation — is a recognised privacy protection technique under Article 4(5) UK GDPR and is provided by Supabase's architecture by default.

Administrative access

Automated account maintenance emails

The only circumstance in which your email address is linked to your financial data is when the system sends automated account status emails — specifically the inactivity warning email sent 30 days before account deletion. This process uses a system key held solely by the operator, stored securely in server environment variables and never in the application codebase. This crossing of the pseudonymisation boundary is intentional, narrow, and exists solely to notify you about your own account. The legal basis is Article 6(1)(b) UK GDPR — contractual necessity.

How it's stored

How it's used

Data entered into the tracker is used solely to provide the budgeting and financial tracking features within the app. It is not used for marketing profiling, sold to third parties, or shared with any external organisations.

The legal basis for processing this data is Article 6(1)(b) UK GDPR — processing necessary to perform the service you have signed up for. Without the data you enter, the app cannot function.

Payment processing

Access to the TIC Tracker is currently free. When a charge is introduced it will be a one-off fee, not a subscription. Payment will be handled by Stripe — the same processor used for The Starting Line.

We never see or store your card details. Stripe handles the transaction entirely. We only receive confirmation that payment was successful, along with your email address and the country your card was issued in. The legal basis for processing this data is Article 6(1)(b) UK GDPR — contractual necessity.

Stripe's privacy policy is at stripe.com/gb/privacy.

Authentication

Account authentication is handled by Supabase Auth. Passwords are hashed and never stored in plain text. Users can change their password or delete their account at any time from within the app settings.

Account deletion

How long we keep tracker data

Active accounts: data is retained for as long as your account exists.

Inactive accounts: if you have not logged in for 12 months, your account and all associated data will be permanently deleted. You will receive an email 30 days before deletion giving you the opportunity to log in and keep your account active.

Deleted accounts: data is deleted immediately and permanently. As no backups are retained, this cannot be undone.

Browser local storage

The tracker uses browser local storage (not cookies) to store app preferences such as notification settings, walkthrough completion status, and dismissed notifications. No personal financial data is stored in local storage — this information stays on your device and is never transmitted to us.

Third-party services used by the tracker

• Stripe (payment processing, when a charge is introduced) — stripe.com/gb/privacy
• Supabase (database and authentication) — supabase.com/privacy
• Netlify (hosting) — netlify.com/privacy
• Google Analytics (anonymous usage statistics, only if you accept cookies) — policies.google.com/privacy
• DuckDuckGo and Google favicon services (used to display company logos in the bills feature — only the company name is sent, no personal data)

Financial data disclaimer

The TIC Tracker is a personal finance tracking tool. It does not provide regulated financial advice. Nothing within the app constitutes a personal recommendation. You are responsible for the accuracy of data you enter.

Questions about tracker data

For any privacy-related queries specific to the tracker, contact hello@theinvestingcouple.co.uk.

11Changes to this policy

If we change how we handle data, we'll update this page and change the "last updated" date at the top. For significant changes, we'll email customers directly.