Privacy Policy
Contents
- Who we are
- What information we collect
- Why we collect it (lawful bases)
- How we use it
- Third-party processors and sub-processors
- International transfers
- How long we keep your data
- Your rights under UK GDPR
- Cookies and similar technologies
- Security
- Children
- Changes to this policy
- Contact and complaints
1. Who we are
Top Level App is operated by Future Build Cov Ltd, a company registered in England and Wales, with its registered office in Coventry, United Kingdom. For the purposes of UK data protection law (the UK GDPR and Data Protection Act 2018), Future Build Cov Ltd is the data controller for personal information collected through the Top Level App service.
You can reach our data protection contact at support@toplevelapp.com or via WhatsApp on +44 7463 537535.
2. What information we collect
We collect only what we need to deliver the service. Specifically:
2.1 Account and billing data
- Email address — used to sign you in via a magic link, send transactional notifications, and match you with your Stripe subscription.
- Name, billing address, payment method details — collected and processed by Stripe on our behalf. We see only the customer reference, last 4 digits of your card, and the country of issue — we never see or store the full card number.
- Subscription history — which plan you're on, when invoices were paid, your credit balance.
2.2 Data you submit
- URLs you submit for AI visibility checks — these are public website URLs you ask us to audit.
- Report contents — the audit results we generate from those URLs. Stored against your account so you can revisit past reports.
2.3 Affiliate program data (only if you apply)
- Name, email, the channel or audience you plan to promote through, your website / newsletter / channel URL, your payout details if approved.
2.4 Technical and usage data
- IP address — used for security, rate-limiting, and fraud prevention. Stored for no longer than 90 days unless flagged for abuse.
- Browser type, device type, referrer, page-view timestamps — used to keep the service working and to spot bugs.
- Affiliate referral identifier — if you arrive via an affiliate link, we store a cookie identifying the affiliate so we can attribute commission correctly. Cookie name
tla_ref, 90-day expiry.
3. Why we collect it (lawful bases)
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Creating and managing your account | Performance of a contract |
| Taking payment via Stripe and recording subscription state | Performance of a contract |
| Running the AI visibility checks you request | Performance of a contract |
| Sending you transactional emails (sign-in links, invoices, account notifications) | Performance of a contract |
| Affiliate program administration and commission payouts | Performance of a contract |
| Security, fraud prevention, abuse detection, rate-limiting | Legitimate interests (keeping the service safe and reliable) |
| Complying with our UK accounting, tax, and legal obligations | Legal obligation |
| Sending you marketing emails (if any are ever sent) | Consent — and you can withdraw it at any time |
4. How we use it
We use your data to:
- Authenticate you and let you access your account.
- Run the audits you ask for and store the resulting reports against your account.
- Take recurring monthly payments, issue invoices, and grant you the report credits for your plan.
- Send you operational emails (sign-in links, payment receipts, plan-change notifications, lead-replies for the "book a call" service).
- Track affiliate referrals and pay out commissions accurately.
- Detect and prevent abuse of the service (e.g. someone submitting thousands of URLs to deplete the free credit pool).
- Meet our legal and tax obligations as a UK-registered company.
We do not sell your personal data. We do not use it to train AI models. We do not share it for third-party advertising.
5. Third-party processors and sub-processors
We rely on a small number of reputable third-party services to run Top Level App. Each is bound by a written data processing agreement (DPA) and only handles data necessary for its specific function.
| Service | What it does | Where data is processed |
|---|---|---|
| Stripe Payments Europe Ltd | Subscription billing, card processing, customer portal | Ireland / USA |
| Google Firebase & Google Cloud Platform | Authentication, database, serverless functions | USA (multi-region) |
| Resend Inc. | Transactional email delivery | USA |
| OpenAI, L.L.C. | AI visibility and citation analysis | USA |
| Serper.dev | Google Search results lookup for keyword ranking | USA |
| Netlify, Inc. | Static site hosting + content delivery | USA / global edge |
If you'd like a current list of sub-processors at any time, email support@toplevelapp.com.
6. International transfers
Several of our processors are based in the United States. Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards under UK GDPR — specifically the UK International Data Transfer Agreement (IDTA), Standard Contractual Clauses (SCCs), or equivalent — to ensure your data remains protected to UK standards.
7. How long we keep your data
- Account data — for the lifetime of your active subscription, then 6 years after closure to meet UK accounting and tax law (Companies Act 2006).
- Report contents — for the lifetime of your active subscription. You can delete individual reports any time. On account closure we delete reports within 30 days.
- Payment records — 6 years from the date of the transaction (HMRC requirement).
- Affiliate records and commission history — 6 years from the date of the last commission payment.
- IP addresses and access logs — 90 days, unless flagged for abuse investigation.
- Backups — encrypted, 30-day rolling window.
8. Your rights under UK GDPR
You have the following rights regarding your personal data. We will respond within 30 days of receiving a verified request.
- Right of access — get a copy of the personal data we hold about you.
- Right to rectification — correct any inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — delete your data, subject to legal retention requirements (e.g. tax records we are required to keep).
- Right to restriction of processing — ask us to pause processing your data in certain situations.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests or direct marketing.
- Rights related to automated decision-making — we do not subject you to fully automated decisions with legal or significant effects.
- Right to withdraw consent — at any time, where consent is the lawful basis.
To exercise any of these rights, email support@toplevelapp.com with the subject line "Data subject request". We may ask you to verify your identity before fulfilling the request.
9. Cookies and similar technologies
Top Level App uses a small, strictly necessary set of cookies. We do not use third-party advertising cookies or cross-site tracking.
| Cookie | Purpose | Expiry |
|---|---|---|
tla_ref | Stores an affiliate referral code so we can attribute commission to the affiliate who referred you | 90 days |
Firebase Auth cookies (firebaseLocalStorageDb etc.) | Keeps you signed in across visits | Until sign-out |
| Stripe Checkout cookies | Set by Stripe on their hosted checkout page only — governed by Stripe's own privacy policy | Per Stripe's policy |
tla_url (session storage, not a cookie) | Remembers the URL you typed on the homepage so the checkout flow can prefill it | Until you close the tab |
10. Security
We take security seriously. Specifically:
- All connections to Top Level App are encrypted in transit with TLS 1.2 or higher.
- Passwords are not stored — we use Firebase magic-link sign-in, so there is no password for an attacker to steal.
- Payment card data is never seen or stored on our infrastructure — Stripe processes it directly.
- Database access is restricted to a small number of authenticated server-side processes; no user can directly write to credit balances, payment records, or commission ledgers.
- Webhook events from Stripe are cryptographically verified before any state change.
- We follow the principle of least privilege for API keys (e.g. our transactional email key can send only, not read or delete).
11. Children
Top Level App is a B2B tool intended for business owners, marketers, and agencies. It is not directed at children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact us and we will delete it.
12. Changes to this policy
If we make material changes to this policy we will notify you by email (where we have one) and update the "Last updated" date at the top. Continued use of the service after a change constitutes acceptance of the updated policy.
13. Contact and complaints
For any data protection question or request, contact us at support@toplevelapp.com.
If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113