Legal
Privacy Policy
4cast-ai Ltd · Last updated: June 2026 · Effective date: June 2026
This policy explains how 4cast-ai Ltd collects, uses, stores and protects your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to protecting your privacy and handling your data with transparency and care.
1. Who We Are
Data Controller: 4cast-ai Ltd
Contact: hello@4cast-ai.co.uk
4cast-ai Ltd is the data controller responsible for your personal data. We provide AI-powered sales forecasting software to wholesale and FMCG businesses.
2. Data We Collect
Account & Identity Data
- Name and email address (provided at signup)
- Job title and industry (provided at signup, optional)
- Encrypted password (we never store passwords in plain text)
- Account creation date and last login timestamp
Usage & Technical Data
- Login activity and session information
- Browser type and operating system (for security monitoring)
- IP address (retained for security purposes only)
Business & Forecast Data
- Sales, shipment and stock data you upload to the platform
- Forecast adjustments, promotional plans and category guidance you create
- Change logs generated by your use of the platform
Business and forecast data relates to commercial products and volumes — it is not personal data under UK GDPR. It is treated as commercially confidential and protected with the same technical controls as personal data.
3. How We Use Your Data
We use your data only for the following purposes:
- Providing the service — authenticating your account, loading your dashboard and saving your work
- Security — detecting unauthorised access, preventing brute-force attacks and protecting your account
- Communications — sending account-related emails (password resets, invitations) and, where you have opted in, product updates
- Legal compliance — retaining records as required by law
We do not use your data for advertising, profiling or sale to third parties.
4. Legal Basis for Processing
- Contract — processing your account data is necessary to provide the service you signed up for
- Legitimate interests — security monitoring and fraud prevention
- Legal obligation — retaining records where required by law
- Consent — where we ask for it (e.g. marketing emails), which you may withdraw at any time
5. Data Storage & Security
Your data is stored on Supabase infrastructure hosted in EU West 1 (Ireland), within the European Economic Area. This is a lawful transfer under the UK-EU adequacy decision.
We apply the following technical safeguards:
- All data transmitted over HTTPS/TLS encryption
- Row Level Security (RLS) enforced at the database level — users can only access their own organisation's data
- Role-based access control — users can only view or edit data they are explicitly assigned to
- Passwords hashed using industry-standard algorithms (managed by Supabase Auth)
- Login attempt limiting — accounts are temporarily locked after 5 failed attempts
- Session timeouts after 8 hours of inactivity
6. Data Retention
We retain your data for as long as your account is active or as needed to provide the service.
- Account data — retained for the duration of your subscription plus 90 days after cancellation, then permanently deleted
- Forecast and business data — retained for 2 years from the date of upload, then permanently deleted, unless you request earlier deletion or your agreement with us specifies otherwise
- Security logs — retained for 90 days for fraud prevention purposes
You may request deletion of your data at any time by contacting us at hello@4cast-ai.co.uk.
7. Data Sharing & Third Parties
We share data with the following third-party processors only to the extent necessary to deliver the service:
- Supabase Inc. — database and authentication infrastructure (EU West 1, Ireland). Data Processing Agreement in place.
- Vercel Inc. — website and application hosting. Data Processing Agreement in place.
- Anthropic PBC — AI language model used for forecast chatbot functionality. Only anonymised forecast adjustment prompts are sent — no personal data is included in AI requests.
- Stripe Inc. — payment processing for subscriptions. Stripe is independently PCI-DSS compliant. We do not store card details.
We do not sell, rent or trade your personal data to any third party.
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate data
- Right to erasure — request deletion of your personal data ("right to be forgotten")
- Right to restrict processing — ask us to limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, email us at hello@4cast-ai.co.uk. We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
9. Cookies
We use only essential cookies required for authentication and session management. We do not use advertising or tracking cookies. No third-party analytics scripts are loaded on the platform.
10. Children's Data
4cast-ai is a business-to-business platform intended for use by professionals aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately.
11. Changes to This Policy
We may update this policy from time to time. We will notify active users by email of any material changes. The "last updated" date at the top of this page will always reflect the current version. Continued use of the platform after changes constitutes acceptance of the updated policy.
12. Contact Us
For any questions about this policy or how we handle your data: