Last updated 14 May 2026
On this page
Privacy Policy
Casomo is operated by Casomo Ltd (“we”, “us”), a company registered in England and Wales. This policy explains what data we hold, what we don’t, and your rights under UK GDPR.
- We don’t store your financial data. Salaries, pension figures, and scenarios you enter into our calculators stay in your browser. They are not sent to or stored on our servers.
- If you create an account, authentication is handled by Supabase. We do not store your email or password directly.
- We use a single privacy-respecting analytics provider (PostHog) for anonymous usage data. No advertising or cross-site tracking.
What we hold, and what we don’t
Financial and scenario data — not held by us
Our calculators run in your browser. Any salary figures, pension parameters, or scenarios you enter are stored locally on your device using your browser’s storage. They are not transmitted to our servers and we cannot see them.
You can export your scenarios to a file at any time using “Download my scenarios”, and import them back later or on another device. You can clear all scenarios from your browser using “Clear all scenarios” or by clearing this site’s data in your browser settings.
Account data — held by Supabase
If you create an account, authentication is handled by Supabase, who store:
- Your email address (provided by you or by Google/Apple sign-in)
- An internal user identifier
- Authentication metadata (sign-in timestamps, OAuth provider)
We hold this under UK GDPR Article 6(1)(b) (contract) — it is needed to operate your account and provide the service you’ve signed up for.
We do not hold your salary, pension data, NHS band, region, or any financial scenarios server-side.
Analytics — anonymous, stored locally
Anonymous usage analytics (page views, calculator interactions) are handled by PostHog. A random identifier is stored in your browser so we can distinguish returning visitors from new ones. Analytics do not capture your salary figures or calculation results, such as your take-home pay. We do record which broad options a scenario used — for example pay band, nation and tax year — to see which scenarios are common. We use the lawful basis of legitimate interest (UK GDPR Article 6(1)(f)) to understand how the site is used and to improve it.
We also record anonymised session replays — mouse movement, clicks, and page navigation — with all form inputs masked, so we can find and fix usability problems. Replays never capture the values you type.
We do this to find broken features, make the tools work well, and build more relevant, useful content. Most people never email to say something is broken. They get frustrated and leave, so anonymous usage data is how we spot it. The data is anonymous, and we never sell it to third parties.
Newsletter — handled by Buttondown
If you subscribe to our newsletter, your email address is held by Buttondown, our newsletter provider. You can unsubscribe at any time using the link in any newsletter email.
Cookies and browser storage
We use the minimum necessary storage technologies. The ICO treats browser storage (cookies, localStorage) consistently for transparency purposes, so we list them all here.
- Authentication cookie
- Keeps you signed in
- Set by Supabase (our auth provider)
- Cloudflare Turnstile cookie
- Bot protection on signup forms (short-lived)
- Set by Cloudflare
- localStorage
- Stores your scenarios on your device
- Set by Our site
- Analytics cookie & localStorage
- Anonymous visitor identifier and usage data
- Set by PostHog
| Technology | Purpose | Set by |
|---|---|---|
| Authentication cookie | Keeps you signed in | Supabase (our auth provider) |
| Cloudflare Turnstile cookie | Bot protection on signup forms (short-lived) | Cloudflare |
| localStorage | Stores your scenarios on your device | Our site |
| Analytics cookie & localStorage | Anonymous visitor identifier and usage data | PostHog |
We do not use:
- Advertising cookies
- Cross-site tracking cookies
- Social media tracking pixels
How we use data
- Account data: to authenticate you and operate your account (held by Supabase).
- Anonymous analytics: to understand site usage and improve the product.
- Email (newsletter subscribers): to send product updates if you’ve subscribed.
We do not sell personal data. We do not share personal data with third parties for marketing.
International transfers
Some of our service providers (PostHog, Supabase, Buttondown, Cloudflare) may process data outside the UK. Where this happens, transfers are made under appropriate safeguards (Standard Contractual Clauses or UK adequacy decisions, depending on the provider and destination).
Data retention
- Account data: held by Supabase while your account exists. When you delete your account, your authentication record is removed. Backup copies may persist for up to 30 days before being purged.
- Platform logs: our hosting provider (Vercel) retains standard request logs for up to 3 days. These contain request metadata (URL, status code, timing) but no financial inputs or calculation data.
- Newsletter subscribers: held by Buttondown until you unsubscribe.
- Anonymous analytics: retained by PostHog according to their retention policy.
Your rights
Under UK GDPR you have the right to:
- Access the data we hold about you (Article 15)
- Correct inaccurate data (Article 16)
- Delete your account and the data we hold (Article 17)
- Port your data to another service (Article 20)
- Object to processing based on legitimate interest (Article 21)
- Withdraw consent where processing is based on consent
Because we hold so little data, most of these are quick to action:
- To delete your account and the data we hold, use the “Delete account” option in your account settings, or email us using the contact link below.
- To export your scenarios, use “Download my scenarios” in the app — they’re on your device, so you have direct access.
- To unsubscribe from the newsletter, use the unsubscribe link in any newsletter email.
For anything else, get in touch via the contact link below. We will respond within one calendar month.
If you’re unhappy with how we’ve handled your data, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.
Third-party services
- Vercel
- Site hosting
- vercel.com
- Supabase
- Authentication and database
- supabase.com
- PostHog
- Anonymous analytics
- posthog.com
- Buttondown
- Newsletter
- buttondown.com
- Cloudflare
- Bot protection (Turnstile)
- cloudflare.com
| Service | Purpose | Privacy policy |
|---|---|---|
| Vercel | Site hosting | vercel.com |
| Supabase | Authentication and database | supabase.com |
| PostHog | Anonymous analytics | posthog.com |
| Buttondown | Newsletter | buttondown.com |
| Cloudflare | Bot protection (Turnstile) | cloudflare.com |
| Google / Apple Sign-In | Account authentication | Google / Apple |
Changes to this policy
We’ll update the “last updated” date at the top of this page when this policy changes. Material changes will be notified to account holders by email.
Contact
For privacy-related inquiries, get in touch.
Casomo Ltd (company number 15030496) is registered in England and Wales.