Privacy Policy
Last updated: 1 June 2026
1. Who we are
Antlio is operated by Marcin Weryk trading as Antlio, a sole trader based in the United Kingdom ("we", "us", "our"). We are the data controller for the personal data described in this policy.
Contact us at: Contact form
ICO registration number: ZC159669
2. What data we collect and why
Account data
When you create an account we collect your email address and password (hashed — we never see it in plain text). During onboarding we collect your business name, trade type, phone number, address, VAT number, UTR number, and bank details for use in your quotes and invoices. Lawful basis: contract (to provide the service you signed up for).
Job, quote, and invoice data
We store the jobs, quotes, and invoices you create, including line items, amounts, dates, and associated customer details. This data belongs to you. Lawful basis: contract.
Your customers' data
When you add customers to Antlio (names, addresses, email addresses, phone numbers), you are the data controller for that information and we act as your data processor. You are responsible for having a lawful basis to store and use your customers' data. Our Terms of Service include a data processing agreement covering this relationship.
Payment data
We do not store your card details. Payments are handled by Stripe, who process card data on our behalf under their own PCI-DSS compliance. We store your Stripe customer ID and subscription status only. Lawful basis: contract.
Usage and analytics data
We record internal analytics such as when free-plan limits are reached and when plan upgrades occur. This data is not shared externally and is used only to improve the product. Lawful basis: legitimate interests.
Support messages
If you contact us via the in-app support form, we retain your message and email address to respond to you. Lawful basis: legitimate interests.
3. Third parties we share data with
We use the following third-party services to operate Antlio. Each is bound by their own privacy policy and, where applicable, a data processing agreement with us.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | EU (Ireland) |
| Stripe | Payment processing and subscriptions | EU / USA |
| Resend | Transactional email delivery | EU / USA |
| Cloudflare | Bot protection (Turnstile) on signup | EU / USA |
| Amazon Web Services | Application hosting and encrypted backups | EU (Ireland) |
We do not sell your data to any third party, ever.
4. Data retention
We retain your account and business data for as long as your account is active. If you delete your account, your data is permanently deleted from our systems within 30 days, except where we are required to retain it by law (e.g. financial records for HMRC purposes — up to 6 years).
Encrypted database backups are retained for 90 days and then permanently deleted.
5. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — correct inaccurate data (most data can be edited directly in Settings)
- Right to erasure — request deletion of your account and data (available in Settings → Data & Privacy → Danger Zone)
- Right to data portability — export all your data as a JSON file (Settings → Data & Privacy → Export data)
- Right to restrict processing — request we limit how we use your data
- Right to object — object to processing based on legitimate interests
To exercise any of these rights, contact us at Contact form. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
6. Security
All data is transmitted over HTTPS. Data at rest is encrypted. Access to production systems is restricted by IAM policies with least-privilege principles. Database backups are encrypted and stored in a private S3 bucket.
Passwords are hashed by Supabase Auth using bcrypt — we never have access to your plain-text password.
7. Cookies
Antlio uses only essential cookies required for authentication (session tokens set by Supabase). We do not use advertising, tracking, or analytics cookies. No cookie consent banner is required for essential-only cookies under UK GDPR.
8. Changes to this policy
We may update this policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Continued use of the service after notification constitutes acceptance of the updated policy.
9. Contact
Questions about this policy or how we handle your data: