Privacy Policy
Last updated: 4 June 2026
This policy explains what personal data Tide collects when you use this app, why we collect it, and what your rights are under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
Tide ("we", "us", "our") is operated by Alex Cottrell, an individual data controller registered in the United Kingdom. You can contact us at privacy@tidego.co for any privacy-related questions or to exercise your rights under this policy.
2. What we collect, and why
If you visit the site without an account
- Analytics via Google Analytics 4 (Google LLC) and Microsoft Clarity (Microsoft Corporation) — only if you accept analytics cookies in our cookie banner. Google Analytics counts page views and aggregate feature usage. Microsoft Clarity provides aggregate heatmaps and anonymised session replays (it masks text input by default) so we can see how pages are used and improve them. If you decline, neither tool loads, no analytics cookies are set, and no data is sent to Google or Microsoft. (Google's privacy policy, Microsoft's privacy statement)
If you create an account
- Email address — required so we can sign you in and send the email alerts you've enabled.
- Password (only if you choose the password sign-in path) — stored as a one-way bcrypt hash by our authentication provider, Supabase. We never see or store your plain-text password. We recommend the magic-link sign-in instead, which avoids passwords entirely.
- Shopping preferences — the audiences (women's / men's / children's), categories, and brand selections you make during onboarding. Used to compute your personalised Tide Score.
- Saved centres — the shopping centres you've checked, used to send you alerts and the weekend digest if you've turned them on.
- Notification choices — whether you want peak-sale alerts, brand-sale alerts, and the weekend digest.
3. Lawful basis for processing
- Performing the service you signed up for — your email and account data, lawful basis: contract.
- Personalisation and email alerts — lawful basis: consent, given when you complete onboarding and toggle the alert switches. You can withdraw this any time from My Tide.
- Analytics via Google Analytics and Microsoft Clarity — lawful basis: consent, given when you click "Accept" in the cookie banner. You can withdraw it any time via the "Cookie settings" link in the footer. No analytics cookies are set until you consent.
4. Who we share data with
We share the minimum personal data required to operate Tide with the following processors:
- Supabase — database, authentication, and email hosting (servers in the EU). Privacy policy.
- Vercel — static site hosting. Privacy policy.
- Google Analytics (Google LLC) — aggregated usage analytics, loaded only with your consent. Data may be processed in the US under Google's standard contractual clauses / the EU-US Data Privacy Framework.
- Microsoft Clarity (Microsoft Corporation) — aggregate heatmaps and anonymised session replays, loaded only with your consent. Data may be processed in the US under Microsoft's standard contractual clauses.
We do not sell your data to advertisers or third parties.
5. How long we keep your data
- Account data is retained for as long as your account exists.
- If you delete your account, we erase your email, preferences, and saved centres within 7 days.
- Inactive accounts (no sign-in for 24 months) are notified by email and then deleted if no response.
- Analytics data is retained by Google Analytics per the property's configured retention (default 14 months).
6. Your rights under UK GDPR
You have the right to:
- Access the personal data we hold about you
- Correct any inaccurate data
- Erase your data ("right to be forgotten") — available as a one-click "Delete my account" button in My Tide
- Restrict or object to processing
- Port your data to another service (we'll provide a JSON export on request)
- Withdraw consent at any time
- Complain to the Information Commissioner's Office (ICO) at ico.org.uk if you believe we've mishandled your data
To exercise any of these rights, email privacy@tidego.co. We'll respond within one calendar month.
7. Security
- All traffic is encrypted in transit via TLS.
- Passwords (where used) are stored as bcrypt hashes; we never see or store the plain text.
- Database access is restricted by row-level security policies, so each user can only read their own preferences.
- We recommend the magic-link sign-in path, which removes passwords as an attack surface.
8. Data breaches
If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected users without undue delay.
9. Cookies
Tide uses the following cookies and similar technologies:
- Strictly necessary — the Supabase authentication session cookie, required to keep you signed in. No consent needed (PECR exemption).
- Analytics (Google Analytics 4 & Microsoft Clarity) — set
_ga,_clck,_clskand related cookies to measure usage. Opt-in only: set solely after you click "Accept" in our cookie banner, and never before. You can decline, or later withdraw, via "Cookie settings" in the footer.
10. Changes to this policy
If we make material changes to this policy, we will notify account holders by email and post a notice on the homepage at least 7 days before the changes take effect.