Legal

Privacy Policy

Last updated: 29 June 2026

Who we are

CrestCast is a personal finance forecasting app for UK households, operated by Luke Walsh (trading as CrestCast). References to “we”, “us”, or “CrestCast” in this policy refer to this entity.

We are the data controller for personal data collected through this website and the CrestCast app. For questions about this policy, contact us at hello@crestcast.co.uk.

What data we collect

Waitlist:If you submit your email on our website to be notified at launch, we store your email address and the date you signed up. Nothing else.

Account:When you create an account, we collect your email address and a securely hashed password. We do not store your password in plain text.

Financial data:The income, assets, liabilities, and bills you enter into CrestCast are encrypted using AES-256-GCM before being sent to our servers. The server stores only ciphertext. We cannot read your financial data.

Billing:Subscription payments are handled by Stripe. We do not store your card details. Stripe provides us with a customer ID and subscription status only.

Usage data:We do not use analytics trackers, advertising pixels, or third-party tracking of any kind.

How we use your data

We use your data solely to operate CrestCast:

  • Your email is used to send you a launch notification (waitlist) or to manage your account and send essential service communications.
  • Your financial data is used exclusively to generate your forecast within the app. It is never used for any other purpose.
  • Billing data is used to manage your subscription.

We do not sell your data, share it with third parties for marketing, use it for advertising, or disclose it to anyone except as described in this policy.

Third-party services

We use a small number of trusted services to operate CrestCast:

  • Supabase:cloud database and authentication (EU region). Your encrypted data is stored here.
  • Stripe:subscription billing. Governed by Stripe's own privacy policy.

We do not use any other third-party services that receive your personal data.

Data retention

We retain your account and financial data for as long as you have an active account. Waitlist emails are retained until CrestCast launches or you unsubscribe, whichever comes first.

If you delete your account, all associated personal data and financial data is permanently deleted within 30 days.

Your rights under UK GDPR

Under the UK GDPR and Data Protection Act 2018, you have the right to:

  • Access:request a copy of the personal data we hold about you.
  • Rectification:ask us to correct inaccurate data.
  • Erasure:ask us to delete your data (“right to be forgotten”).
  • Portability:receive your data in a portable format.
  • Objection:object to processing in certain circumstances.
  • Withdraw consent:where processing is based on consent (e.g. the waitlist), you can withdraw it at any time.

To exercise any of these rights, email hello@crestcast.co.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

Cookies

CrestCast does not use advertising or tracking cookies. We use a single session cookie to keep you logged into your account. No third-party cookies are set.

Changes to this policy

If we make material changes to this policy, we will notify you by email before the changes take effect. The “last updated” date at the top of this page reflects the most recent revision.