Effective date: 14 April 2026

Privacy Policy

1. Who We Are

DebtRiot is operated by Monika Pankiewicz, sole trader, registered in England and Wales.

Website: debtriot.co.uk

Contact: hello@debtriot.co.uk

ICO Registration: ZC115123

We comply with UK data protection law (UK GDPR and the Data Protection Act 2018).

2. What This Policy Covers

This policy covers all DebtRiot products and services:

• debtriot.co.uk (the marketing site and demo calculation engine)

• coaches.debtriot.co.uk (the professional coaches platform)

• app.debtriot.co.uk (the organisations tool)

DebtRiot has two products: a coaches platform and an organisations tool. Both are powered by the same calculation engine, hosted on debtriot.co.uk. Each handles data differently — the sections below explain what applies to each.

3. The Calculation Engine — What We Don't Collect

All debt calculations — balances, interest rates, minimum payments, strategies — run entirely in your browser. We never receive, store, or process the financial figures you enter.

This applies to the demo engine at debtriot.co.uk, the coaches platform, and the organisations tool.

4. Coaches Platform (coaches.debtriot.co.uk)

Coaches create an account to access the platform. We collect:

• Email address and account credentials (for login and account management)

• Subscription and billing data (processed by Stripe — we never see your card details)

• Session data stored in your browser (plan inputs, saved sessions) — this stays on your device

We do not collect or store your clients' debt data. Plans are generated and saved locally.

Payments are processed by Stripe. See stripe.com/privacy for Stripe's privacy policy.

5. Organisations Tool (app.debtriot.co.uk)

The organisations tool is designed to collect no personal data from end users (tenants, employees, or service users).

What we do NOT collect from end users:

• Name, email address, or any personal identifier

• Debt amounts, interest rates, or any financial data entered into the tool

• IP address (not stored)

• Cookies for tracking or advertising

What we DO collect:

Anonymous aggregate usage counts only — for example, how many times the tool was opened, how many plans were completed, which strategy was most selected. This data cannot be used to identify any individual.

This data is stored in Upstash Redis (EU-West, Ireland) and retained for 24 months.

Organisations access this data via an admin dashboard. DebtRiot also has access for service improvement purposes.

The legal basis for this processing is legitimate interests (Article 6(1)(f) UK GDPR). We have assessed that processing anonymous usage counts is proportionate and does not significantly affect end users' rights.

6. Marketing Site (debtriot.co.uk)

No account or sign-up is required to use the demo engine.

We may collect basic, anonymised analytics (page views, button clicks) only if you consent via the cookie banner. Analytics are disabled by default until you make a choice.

We do not use advertising cookies and we do not sell data.

7. Contact Messages

If you email us, we will have your email address and the content of your message. We use this only to respond to you and for related follow-up. Contact messages are kept for up to 24 months.

8. Cookies

We use cookies to keep the site working. Optional analytics cookies are only activated after you give consent via the cookie banner.

We do not use advertising or tracking cookies.

9. Data Sharing

We do not sell your data.

We use the following sub-processors:

• Vercel, Inc. — hosting and serverless compute (USA/EU, SCCs in place)

• Upstash, Inc. — anonymous usage counts, Redis database (EU Ireland, SCCs in place)

• Stripe, Inc. — payment processing for coaches subscriptions

• Email service provider — for responding to contact messages

These providers are contractually required to keep data secure and use it only for the purposes described.

10. Data Retention

• Calculator inputs: stored only in your browser. Never sent to us.

• Coaches account data: retained while your account is active, then deleted on request or after account closure.

• Organisations anonymous usage data: retained for 24 months, then deleted automatically.

• Contact messages: retained for up to 24 months.

• Payment records: retained as required for tax and legal compliance.

11. Your Rights

Under UK GDPR, you may have the right to:

• access your personal data

• correct inaccurate data

• request deletion

• restrict or object to processing

• data portability

Since calculator inputs never leave your browser, most rights apply only to account data, contact messages, and payment records.

To exercise your rights, email hello@debtriot.co.uk.

12. Children

DebtRiot is not intended for use by children under 16. We do not knowingly collect data from children.

13. Security

We use reasonable measures to protect information — secure hosting, access controls, and regular updates. No system is 100% secure, but we take proportionate steps to manage risks.

14. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.

15. Changes

We may update this policy. When we do, we will update the date at the top. Significant changes will be highlighted on the site.

16. Contact

Questions about privacy? Email hello@debtriot.co.uk

DebtRiot | Monika Pankiewicz, sole trader, Cardiff, Wales | ICO Registration: ZC115123