Privacy Policy

The data controller for personal data processed through TitanScout is TOTAL TITAN HOLDINGS LIMITED, a company registered in England and Wales under company number 14460771, with its registered office at 9 Nene Way, Sutton, Peterborough, PE5 7XB, England.

You can reach our privacy team at support@totaltitanholdings.com. We do not currently have a statutory Data Protection Officer because our processing does not meet the threshold for mandatory appointment under the UK GDPR; however, the contact above is the responsible privacy contact for all enquiries, complaints, and rights requests.

Account data: email address, hashed password, display name, country, marketing preference, and the legal acknowledgements you give us at signup (including the explicit confirmation that TitanScout is not a property survey, valuation, or legal advice).

Listing intake data: the property descriptions, agent links, and free-text notes you submit through the chat input, plus any photographs you upload to the Scout. This material is stored in a private, encrypted bucket scoped to your account and is not used to train any artificial-intelligence model.

Transactional data: subscription tier, credit balance, top-up purchases, invoice history, and the last four digits of the payment card together with the card brand. Full card details are tokenised and stored exclusively by Stripe; we never see them.

Operational data: device type, browser fingerprint hash, IP address, language preference, referrer, time zone, and aggregated usage metrics that allow us to keep the service running, detect abuse, and tune performance.

We use account and transactional data to provide the service you have asked for: creating your account, charging your subscription, granting and consuming credits, generating reports and reels, and sending the operational emails you would expect (receipts, password resets, security notices).

We use listing intake data exclusively to generate your scans and reels, to provide you with revision control over those outputs, and to support you when you raise a question. We do not sell, trade, or commercially share your photos or notes with third parties.

We use operational data to secure the service, prevent fraud and abuse, debug performance issues, and produce de-identified analytics that help us decide what to build next.

We rely on contract performance under Article 6(1)(b) UK GDPR for processing necessary to deliver the service you have purchased, including all account, transactional, and listing intake data.

We rely on legitimate interests under Article 6(1)(f) UK GDPR for security monitoring, fraud prevention, and product analytics, having balanced our interests against your reasonable expectations of privacy.

We rely on consent under Article 6(1)(a) UK GDPR for non-essential marketing communications and for optional cookies. You can withdraw consent at any time without affecting the lawfulness of prior processing.

We rely on legal obligation under Article 6(1)(c) UK GDPR where we must retain records for tax, accounting, or anti-money-laundering compliance under English law.

Your photos and brief are sent to an AI inference provider over an encrypted connection. We have a contractual data-processing agreement with that provider that prohibits the use of customer inputs for training, fine-tuning, or model evaluation.

Outputs (red-flag reports, repair-cost matrices, scan reels) are generated synchronously and stored in your account. Intermediate prompt traces used for safety review are retained for fourteen days and then permanently deleted.

TitanScout output is an AI-generated viewing aid. It is not a property survey, not a valuation, and not legal advice. We process your inputs solely to deliver this AI-generated commentary; no human reviewer reads your photos or notes unless you raise a support ticket and explicitly authorise us to.

We share data only with processors who help us run the service: Stripe (payments and dispute handling), Supabase (authentication and storage), our cloud-hosting provider (Vercel), and our AI inference provider. Each receives only the data required for its narrow function and is bound by a written processing agreement.

We will disclose data to law enforcement, regulators, or courts where we are legally compelled to do so, and only after considering whether the request is lawful, proportionate, and minimum-necessary. Where the law allows, we will tell you about the request.

We do not sell personal data, and we do not share personal data with advertising or data-broker networks.

Account data is retained for the lifetime of your account plus six years after closure, to comply with English statutory record-keeping requirements for taxation and contract claims.

Listing intake data, generated reports, and scan reels are retained while your account is open, and you can delete any item at will from the Scout. Once your account is closed, residual copies are purged within thirty days.

Operational logs are retained for ninety days unless they form part of an active security investigation.

Some of our processors operate infrastructure outside the United Kingdom and the European Economic Area. Where personal data is transferred to a country without an adequacy decision, we rely on the UK International Data Transfer Agreement or the European Commission's Standard Contractual Clauses, supplemented by technical safeguards including encryption in transit and at rest.

We can provide a summary of the transfer mechanism applicable to a specific processor on request.

Under the UK GDPR you have the right to request a copy of the personal data we hold about you, to ask us to correct inaccurate data, to ask us to delete data we no longer need to keep, to restrict or object to certain processing, and to receive your data in a portable format.

Under the California Consumer Privacy Act, residents of California have additional rights to know, delete, correct, opt out of sale or sharing for cross-context behavioural advertising, and limit the use of sensitive personal information. We do not sell or share personal data for cross-context behavioural advertising and we do not collect sensitive personal information beyond what is necessary to operate your account.

To exercise any of these rights, email support@totaltitanholdings.com from the address associated with your account. We will respond within thirty days and will not charge you a fee unless your request is manifestly unfounded or excessive.

We encrypt personal data in transit using TLS 1.3 and at rest using AES-256. Production credentials are stored in a hardware-backed secrets manager with role-based access. We run quarterly access reviews, mandatory two-factor authentication for staff, and an internal incident-response plan.

No system is perfectly secure. If we suffer a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within seventy-two hours and notify you without undue delay.

If you are not satisfied with how we have handled your personal data you can complain to the Information Commissioner's Office at ico.org.uk. Where you are resident in the European Economic Area, you can also complain to your local supervisory authority. We would, however, appreciate the chance to address your concerns first.

We may revise this policy from time to time. The version in effect is the one published on this page. Where changes are material, we will notify registered users by email at least thirty days before the change takes effect.

This version is effective from 2026-05-06.