Privacy Policy
Last updated: 14 May 2026
1. Who we are
Solitu is operated by Reaching Futurity Ltd (“we”, “us”, “our”), a company registered in England and Wales (company number 11805801). Our registered office is 1 Doolittle Yard, Froghall Road, Ampthill, Bedfordshire, MK45 2NW. We are registered with the UK Information Commissioner's Office as a data controller for personal data processed through this service.
Contact us about privacy matters at: privacy@reachingfuturity.com
2. What data we collect and why
| Data | Purpose | Lawful basis |
|---|---|---|
| Email, password hash, sign-in metadata | Account creation and authentication | Contract (UK GDPR Art. 6(1)(b)) |
| Profile information (name, avatar) | Identification within your organisation(s) | Contract |
| Organisation name, logo, member roles | Multi-organisation support so you can run multiple businesses from one account | Contract |
| Data about your clients (names, contact details, hourly rates) | Time tracking and invoicing on your behalf | Contract (you instructing us as your processor — see section 4) |
| Timesheet entries (times, descriptions) | Time tracking, billing, and reporting | Contract |
| Invoice details and line items | Invoicing on your behalf | Contract |
| Encrypted OAuth tokens (Google, Xero) | Performing the integrations you have enabled, on your behalf | Contract |
| Email sender metadata for filename suggestions (if you connect Gmail) | Improving automatic filename suggestions in the Gmail/Drive feature | Legitimate interests (Art. 6(1)(f)) |
| Feedback you submit through the in-app widget | Improving the service; troubleshooting issues you report | Legitimate interests |
| Error reports (stack traces, request context) | Diagnosing and fixing bugs | Legitimate interests |
| Analytics events (if consented) | Understanding how the product is used | Consent (Art. 6(1)(a)) |
| IP address, user agent (rate limiting) | Preventing abuse of the service | Legitimate interests |
We do not collect special-category personal data (health, biometric, political opinions, etc.) and do not knowingly process such data on your behalf. Do not enter special-category data into timesheet descriptions or feedback.
3. Information about your clients and contacts
When you add clients, projects, or features to Solitu, or connect Gmail to receive filename suggestions, our records may include personal data about people who are not Solitu users — typically your business clients and their contacts. Under UK GDPR:
- You are the data controller for that information. You decide what to store, why, and for how long.
- Solitu (Reaching Futurity Ltd) acts as your processor for that subset of data. We only process it on your written instructions, namely the instructions implicit in how you use the service.
- You are responsible for having a lawful basis to share that data with us, and for telling your clients (in your own privacy notice) that you use Solitu to manage your work for them.
If one of your clients exercises a data-subject right against you (e.g. asks you to delete their data), you can resolve that through your normal Solitu deletion controls; contact us at privacy@reachingfuturity.com if you need our assistance.
4. Third-party processors and sub-processors
We share data with the following processors, each bound by a Data Processing Agreement and selected for their security posture. Where processing occurs outside the UK/EEA, transfers are covered by Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA).
| Processor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) | No transfer outside UK/EEA |
| Vercel | Application hosting and edge delivery | Global edge network | SCCs / IDTA for routes via US edge nodes |
| Resend | Transactional email (gap-day digests, in-app feedback notifications) | EU and US | SCCs / IDTA |
| Upstash | Rate-limiting (IP/user-keyed counters only) | Global edge | SCCs / IDTA |
| Sentry | Error monitoring (PII scrubbed by configuration) | EU (Frankfurt) or US, depending on plan | SCCs / IDTA where applicable |
| PostHog | Product analytics — only if you have provided consent | EU (Frankfurt) | No transfer outside UK/EEA |
| Anthropic | Optional AI-assisted filename suggestions (only when you have configured an API key) | US | SCCs / IDTA |
| Cloudflare (planned) | DNS, web application firewall, and access control for our administrative interfaces | Global edge | SCCs / IDTA |
Integrations you enable yourself (Xero, Google Workspace) are not Solitu sub-processors. When you connect them, you are the controller for the data they hold and Solitu acts as a conduit. Their respective privacy policies apply.
5. Data retention
We retain personal data for as long as your account is active and then according to the following schedule. The dates below are enforced by automated daily clean-up routines.
| Data | Retention |
|---|---|
| Account, profile, organisation membership | For the lifetime of your account, then hard-deleted |
| Clients, projects, features, timesheet entries (not linked to an invoice) once deleted by you | Held for 30 days, then hard-deleted |
| Invoices and invoice-linked timesheet entries | Held for the lifetime of your account. Deleted on account erasure — export first if you need a copy for your own tax-record-keeping (see section 6). |
| Audit log of sensitive operations | Rolling 2 years |
| Email-sender metadata (Gmail filename feature) | Rolling 12 months |
| Feedback submissions that have been marked shipped or closed | Rolling 24 months |
| Waitlist email captures (pre-signup) | 24 months, or until the email converts to a paid signup, whichever is sooner |
| Error events (Sentry) | Up to 90 days |
| Analytics events (PostHog, if consented) | Rolling 24 months |
| Breach-incident logs and data-subject request records (legal obligation) | 6 years |
| Database backups | Rolling 7 days (daily) + 12 weeks (weekly) |
6. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you. Available self-serve via Settings → Export.
- Rectification — correct inaccurate data. Most fields are editable in Settings.
- Erasure — request deletion of your data (“right to be forgotten”). Available self-serve via Settings → Delete my account. All your data is deleted, including invoices you raised through Solitu.
Tax records remain your responsibility. If you have used Solitu to invoice clients, HMRC requires you (as the trader) to keep your own financial records for at least 6 years. Export your data before deletion — Settings → Export gives you JSON and CSV copies you can store yourself. - Restriction — ask us to limit how we use your data while a query is resolved.
- Portability — receive your data in a structured, machine-readable format. Available self-serve via Settings → Export (JSON and CSV formats).
- Objection — object to processing based on legitimate interests.
- Withdraw consent — withdraw analytics consent at any time via the cookie banner or Settings → Privacy. Withdrawal does not affect the lawfulness of prior processing.
To exercise any of these rights, use the self-serve options above or contact us at privacy@reachingfuturity.com. We will respond within one month of receipt and confirm what we have done.
7. Cookies and analytics
We use strictly necessary cookies to operate the service (authentication session tokens), which do not require consent under the Privacy and Electronic Communications Regulations (PECR). We use analytics cookies (PostHog) only with your consent, requested via the cookie banner the first time you visit. See our Cookie Policy for full details and to change your preferences at any time.
8. Security
We apply appropriate technical and organisational measures to protect your data:
- TLS 1.2+ for all data in transit between your browser and our servers.
- Application-level AES-256-GCM encryption of OAuth tokens at rest (over and above Supabase's storage-level encryption).
- Row-Level Security enforced at the database layer, isolating each organisation's data from every other.
- Per-IP and per-user rate limiting on API endpoints to deter abuse.
- Three-layer access control on administrative interfaces (host isolation + allow-list + database RLS).
- Automatic daily clean-up of expired soft-deleted records (see section 5).
No method of transmission over the internet is 100% secure; we cannot guarantee absolute security. We will notify you and the ICO of any personal-data breach likely to result in a risk to your rights, within 72 hours of becoming aware of it.
9. Children
Solitu is a business tool intended for use by adults. We do not knowingly collect data from anyone under the age of 18.
10. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email or by a notice within the application at least 30 days before taking effect. Continued use after that date constitutes acceptance.
11. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK supervisory authority. We would welcome the chance to address your concern first, so we encourage you to contact us before going to the ICO.
Information Commissioner's Office (ICO)
ico.org.uk · 0303 123 1113