Privacy Policy

Last updated: June 2026

This policy should be read alongside our Terms & Conditions. If you have any questions, contact us at hello@reefanalysis.com.

1. Who we are

Reef Analysis is a trading name of Ark Technology Ltd, a company registered in England & Wales (No. 11538549). We are the data controller for the personal data processed through this service. References to "we", "us" or "our" in this policy mean Ark Technology Ltd.

2. What data we collect

We collect the following categories of personal data:

• Account data — email address, full name, and profile type provided during registration or in Settings.
• Tank & test data — tank names, volumes, and all water chemistry test results you upload or log (ICP reports, home test readings).
• Live sensor data — readings from connected devices (Apex Fusion, Alkatronic, Mastertronic, KH Guardian, KH Manager, AquaWiz), stored against your account.
• Device credentials — login credentials for connected devices, stored encrypted in Supabase Vault.
• Usage data — page views, feature interactions, and session metadata collected via Pendo.io to help us improve the product.
• Technical data — IP address, browser type, and device information collected automatically by our hosting provider (Vercel).

3. How we use your data

• To provide and operate the Reef Analysis service.
• To authenticate your account and keep it secure.
• To sync live sensor data on your behalf via automated background jobs.
• To parse ICP test reports using AI (Anthropic Claude API) — uploaded files are processed and discarded; only the parsed results are stored.
• To send transactional emails (email verification, password reset). We do not send marketing emails without your consent.
• To analyse product usage and improve features via Pendo.io.
• To investigate and resolve errors or support requests.

4. Legal basis (UK GDPR)

• Contract — processing necessary to deliver the service you signed up for (Art. 6(1)(b)).
• Legitimate interests — product analytics, error logging, and service security (Art. 6(1)(f)).
• Legal obligation — where we are required to retain data by law (Art. 6(1)(c)).

5. Third-party services

We use the following sub-processors:

• Supabase (EU region) — database, authentication, and encrypted secret storage.
• Vercel (US/EU) — application hosting and serverless functions.
• Anthropic (US) — AI-powered parsing of ICP test PDFs and images. Data is processed transiently and not used for model training under our API agreement.
• Pendo.io (EU) — product analytics. Pendo collects visitor and usage data under their own privacy policy.
• Resend — transactional email delivery.
• Stripe — payment processing (web only). We never have access to card details.

Where data is transferred outside the UK/EEA, we rely on Standard Contractual Clauses or equivalent adequacy mechanisms.

6. Data retention

We retain your data for as long as your account is active. You can delete individual tanks (which cascades to all associated test and sensor data) at any time. To delete your entire account and all associated data, email us at hello@reefanalysis.com with the subject line Delete my account. We will action deletion requests within 30 days.

7. Your rights

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your personal data ("right to be forgotten").
• Restriction — ask us to limit how we process your data.
• Portability — receive your data in a structured, machine-readable format.
• Object — object to processing based on legitimate interests.

To exercise any of these rights, email hello@reefanalysis.com. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Cookies & local storage

We do not use tracking cookies. We use browser localStorage to persist your in-app preferences (selected tank, dashboard tile layout, time range selections). This data never leaves your device and is not transmitted to our servers except where explicitly synced to your account (e.g. dashboard tile configuration).

9. Security

All data is transmitted over HTTPS. Passwords and device credentials are never stored in plaintext — credentials are encrypted at rest using Supabase Vault. We apply row-level security so your data is only accessible to your own account.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice. Continued use of the service after changes constitutes acceptance of the updated policy.