Privacy Policy

Last updated: 1 June 2026

1. Who we are

terva.io ("we", "us") is a UK B2B SaaS platform operated by TERVA.IO LTD, a company registered in England & Wales under company number 17198553, with registered office at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ.

We score and rank residential properties for licensed business customers ("Subscribers") such as solar installers, heat-pump engineers, EV charger installers, insurance brokers, and FCA-authorised mortgage and equity-release brokers.

We are the data controller for the property and address data we process to build our scoring models. Our Subscribers are independent data controllers for any use they make of the outputs we deliver.

2. What we do NOT do

  • We do not contact homeowners, residents, or any individual consumer. We are a B2B SaaS tool. All delivery is to Subscriber accounts via dashboard, export, or API.
  • We do not provide financial, mortgage, insurance, or investment advice. We deliver address-level data to authorised brokers, advisers, and installers who make their own regulated decisions.
  • We do not sell consumer marketing lists, run telemarketing, or send direct mail on behalf of third parties.
  • We do not carry out FCA-regulated activities. Any regulated activity (e.g. arranging a mortgage, advising on equity release, arranging insurance) is performed by the Subscriber, who is solely responsible for their own FCA authorisation and compliance.

3. What data we store

We store the following categories of data. Everything is keyed to the address / UPRN, never to a named individual.

3.1 Property & address reference data (from public & licensed sources)

  • UPRN, USRN, postcode, full postal address (Ordnance Survey AddressBase)
  • Latitude / longitude centroid
  • Land Registry: title number, tenure, last sale price & date, transaction history
  • EPC Register: current & potential energy rating, floor area, dominant wall / roof / heating type, lodgement date
  • Ofcom: broadband technology & speed availability, mobile coverage
  • Police: counts of recorded crimes within ~1 mile by category (no victim or offender data)
  • Environment Agency: flood-risk band, surface-water risk
  • British Geological Survey: ground stability, radon, subsidence indicators
  • TwentyCi: "on-market" / recently-moved status (address level, no resident name)
  • Experian Mosaic: postcode-level (not household-level) demographic group code

3.2 Derived data (generated by us)

  • Per-vertical viability score (0–100) and component sub-scores
  • Estimated job value range
  • Recommended vs. not-recommended flag and signal explanations
  • Model version & calculation timestamp (for auditability)

3.3 Subscriber (B2B customer) data

  • Company name, company number, VAT number, registered address
  • Named contact: work name, work email, work phone, job title
  • FCA / Gas Safe / MCS / NICEIC registration numbers (where relevant)
  • Contracted territories, verticals, plan, billing details (handled by our payment processor; we store only the last 4 digits and brand)
  • Authentication identifiers, session tokens, audit logs (logins, exports, API calls)

3.4 Site & product telemetry

  • IP address, user-agent, referrer, pages viewed (first-party analytics only)
  • Cookies: strictly-necessary session cookie + a single first-party analytics cookie. No advertising or cross-site tracking cookies.

We do not store: resident names, resident phone numbers, resident emails, household income, bank details, mortgage balances, special-category data (health, ethnicity, religion, political views, biometrics), or children's data.

4. Lawful basis

Our lawful bases under UK GDPR Article 6:

  • Property & derived address data — Art. 6(1)(f) legitimate interests.Enabling licensed UK businesses to identify technically suitable properties, reducing wasted surveys and unsolicited consumer contact. LIA and DPIA completed and available on request.
  • Subscriber account data — Art. 6(1)(b) contract.Necessary to provide the service the Subscriber has bought.
  • Billing & tax records — Art. 6(1)(c) legal obligation.Required by HMRC and Companies House rules.
  • Analytics cookie — Art. 6(1)(a) consent, captured via the cookie banner.

5. Who we share data with (named sub-processors)

We share only what is strictly needed, only with the parties below, all bound by written Data Processing Agreements:

5.1 Subscribers (independent controllers)

Authenticated B2B Subscribers receive the scored address records within their contracted territory and vertical only. Each Subscriber becomes an independent controller for any further use; their own privacy notice governs what they do next.

5.2 Infrastructure & hosting

  • Supabase (managed Postgres, auth, storage) — EU (Frankfurt) region
  • Cloudflare (CDN, DNS, WAF) — global edge, EU termination
  • Vercel / Lovable hosting (application runtime) — EU region

5.3 Operational tooling

  • Google Maps Platform — geocoding postcodes to coordinates (no personal data sent beyond the postcode)
  • Stripe — Subscriber payment processing (Stripe is the controller for cardholder data)
  • Resend / Postmark — transactional email to Subscribers (account, billing, product notifications)
  • Plausible (or equivalent EU-hosted analytics) — cookie-light first-party site analytics
  • Sentry — error monitoring (IP & user-agent only; PII scrubbed)

5.4 Professional advisers & authorities

  • Our accountants, auditors, and legal advisers, under professional confidentiality
  • HMRC, Companies House, the ICO, courts, or law enforcement where legally required

We do not share data with advertising networks, data brokers, list rental companies, or affiliate marketers. We do not contact homeowners directly and we do not pass homeowner contact details to Subscribers (we don't hold any).

6. International transfers

Data is hosted in the UK and EEA. Some sub-processors (e.g. Stripe, Cloudflare, Google Maps, Sentry) are US-headquartered. Transfers to third countries rely on UK IDTA / EU SCCs plus a documented Transfer Risk Assessment, with supplementary measures (encryption in transit and at rest, minimised payloads).

7. How long we retain data

Data categoryRetention
Property & address reference dataRefreshed on each source's cadence; superseded versions kept 24 months for model reproducibility
Derived scores delivered to a SubscriberLife of Subscriber contract + 12 months (audit / dispute window)
Subscriber account recordLife of contract + 12 months, then deletion or anonymisation
Billing & invoice records6 years from end of tax year (HMRC requirement)
Authentication & security audit logs13 months rolling
Product telemetry & error logs90 days, then aggregated
Marketing emails (B2B prospect outreach)Until opt-out, then 24 months on a suppression list
BackupsEncrypted, rolling 30 days, then overwritten

When retention expires, data is hard-deleted from primary stores and purged from backups on the next backup cycle.

8. Your rights

UK residents have the right to access, rectify, erase, restrict, or object to processing of personal data relating to their address. Because our records are keyed to UPRN / address rather than named individuals, please include the full postal address in any request.

Contact: dpo@terva.io. You also have the right to complain to the Information Commissioner's Office (ico.org.uk).

9. Changes

We will post any updates on this page and update the "Last updated" date above.

Book a live demo