JEANNETTE LTD is the data controller for personal data processed through Elfna.

Registered in England and Wales under company number [COMPANY_NUMBER]. Registered office: [REGISTERED_OFFICE_ADDRESS]. Contact: hello@elfna.com.

This notice covers our processing under the UK GDPR and the Data Protection Act 2018.

Account data (only if you create an account): email address, name if you provide it, hashed authentication data managed by Clerk.

Purchase data (only if you buy something): the product purchased, transaction reference, billing email. Card details are handled directly by Stripe and never reach our servers.

Device data: anonymous identifiers stored locally (in localStorage and cookies) to remember preferences such as language, unlock state, and saved riad location.

Usage data: pages visited, features used, approximate location (city / country) inferred from your IP, device and browser type, errors. Collected via PostHog and Sentry.

Communications: any message you send us by email or through a contact form.

We do not collect special category data (health, race, religion, sexual orientation, etc.) and we do not knowingly collect data from children under 16.

If you grant browser location permission for the offline map or scam radar, your device's GPS coordinates are used locally on your device to position you on the map and trigger zone warnings.

We do not transmit your precise GPS coordinates to our servers. Anonymous, coarse location (city level) may be inferred from your IP for analytics.

Provide the Service (contract): authenticate you, deliver paid features, sync purchases across devices.

Process payments (contract / legal obligation): execute and record your purchase, comply with tax and accounting law.

Improve the Service (legitimate interests): understand which features are used and where users get stuck, fix bugs, prevent abuse.

Communicate with you (contract / legitimate interests): reply to support requests, send transactional notices about your purchase.

Comply with the law (legal obligation): respond to lawful requests, keep required records.

We do not run targeted advertising and we do not sell your personal data.

We use a small set of trusted processors who handle data only on our instructions and under written contracts:

Clerk (authentication), Stripe (payments), Neon (database hosting), Vercel (application hosting), Sentry (error monitoring), PostHog (product analytics), Sanity (content delivery), Mapbox (map tiles), Resend (transactional email), Twilio (WhatsApp messaging where used).

Some processors are based outside the UK / EEA. Where that is the case, transfers are protected by the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or equivalent safeguards.

We will also disclose data where required by law, court order, or to protect our rights, users, or the public.

Strictly necessary: locale preference, authentication session, map unlock state. These are required to operate the Service.

Analytics: PostHog uses cookies / local storage to measure product usage in aggregate.

We do not use advertising or cross-site tracking cookies.

Account data: while your account exists, then up to 12 months after deletion for fraud and abuse prevention.

Purchase records: 7 years to comply with UK tax and accounting requirements.

Analytics events: up to 12 months in PostHog before aggregation.

Error reports: up to 90 days in Sentry.

Support emails: up to 24 months after resolution.

Under UK GDPR you have the right to: access your data, correct it, delete it, restrict or object to processing, port it to another service, and withdraw consent at any time.

To exercise any of these rights, email hello@elfna.com. We will respond within one month.

If you are unhappy with how we handle your data you can also complain to the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

We use HTTPS for all traffic, encrypt data at rest where supported by our processors, restrict access to production systems on a need-to-know basis, and rely on Stripe and Clerk for payment and authentication security.

No system is perfectly secure. If a breach affects you we will notify you and the ICO as required by law.

We may update this notice from time to time. The current version is always posted here with an updated effective date. If a change is material we will take reasonable steps to notify you.

Privacy questions or requests: hello@elfna.com.