Privacy Policy
Last updated: March 2026
1. Data Controller
Zero Loop Labs Ltd
Company No. 17035492
17 Heronsforde, London W13 8JE, United Kingdom
Email: hello@sealtrail.dev
We are registered in England and Wales and subject to the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
2. What We Collect
Account data (via Clerk)
When you sign up, our authentication provider Clerk collects your email address, name, and authentication credentials. We store a Clerk organisation identifier and your chosen organisation name.
Payment data (via Stripe)
Payment card details are collected and processed entirely by Stripe. We store only a Stripe customer identifier to link your account to your subscription. We never see or store card numbers.
API keys
When you generate an API key, we store a SHA-256 hash of the key and a short prefix (e.g. stl_live_7h8i...) for identification. The raw key is shown once and never stored.
Audit event data
Events you send through the API are stored as submitted, including actor, action, resource, and context fields. You control what data these fields contain. We do not inspect or process the content of your audit events beyond computing hash chains for integrity verification.
What we do not collect
- IP addresses — we do not log or store client IP addresses
- Tracking data — no analytics, advertising pixels, or third-party trackers on any of our sites
- Usage analytics — no behavioural tracking or session recordings
3. How We Use Data and Legal Bases
| Purpose | Data | Legal basis |
|---|---|---|
| Provide the audit trail service | Account data, API keys, audit events | Contract (Art. 6(1)(b)) |
| Process payments and usage billing | Stripe customer ID, event counts | Contract (Art. 6(1)(b)) |
| Authenticate your identity | Clerk session tokens | Contract (Art. 6(1)(b)) |
| Maintain audit log integrity (hash chains) | Event hashes, chain metadata | Legitimate interest (Art. 6(1)(f)) |
| Respond to support requests | Email address | Legitimate interest (Art. 6(1)(f)) |
4. Third-Party Processors
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Clerk | Authentication and identity | Email, name, session tokens | US (DPF certified) |
| Stripe | Payment processing and usage metering | Customer ID, event counts | US (DPF certified) |
| Neon | PostgreSQL database hosting | All structured data (see section 2) | London, UK |
| Fly.io | Application hosting | Application logs (no PII) | London, UK |
5. International Data Transfers
Our database and application servers are hosted in London, UK. Clerk and Stripe process some data in the United States under the EU-US Data Privacy Framework (DPF). Where DPF does not apply, we rely on Standard Contractual Clauses (SCCs) as our transfer mechanism.
6. Cookies
The SealTrail marketing website (sealtrail.dev) does not set any cookies.
The SealTrail dashboard (console.sealtrail.dev) uses session cookies set by Clerk for authentication. These are strictly necessary for the service to function and do not require consent under PECR Regulation 6.
7. Data Retention
- Audit events — retained for the duration of your subscription and according to your plan's retention period (Free: 30 days, Pro: 1 year, Business: unlimited). Audit events are immutable by design — this is a core feature of the service that ensures log integrity.
- Account data — retained while your account is active and for up to 30 days after account closure.
- Payment records — retained as required by UK tax law (typically 6 years).
- API key hashes — revoked keys are marked as inactive but retained for audit trail integrity. They cannot be used to authenticate.
8. Your Rights
Under the UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate personal data
- Erasure — request deletion of your account data. Note: audit event data is immutable by design to ensure cryptographic integrity. We can delete your account and associated metadata, but audit events created during your subscription are retained for the integrity of the hash chain.
- Restriction — request we limit processing of your data
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent
To exercise any of these rights, email hello@sealtrail.dev. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
9. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by email or through the dashboard. Continued use of the service after changes constitutes acceptance.
10. Contact
Zero Loop Labs Ltd
Email: hello@sealtrail.dev
17 Heronsforde, London W13 8JE, United Kingdom