TT UI/Privacy Policy
Privacy Policy
Last updated: 8 June 2026
Template notice: This document is provided as a starting point for TT UI and should be reviewed by qualified legal counsel before production use.
1. Who we are
TT UI is a shadcn-compatible component registry and documentation site operated by Tibbs Tech Ltd (“we”, “us”, “our”), a company registered in the United Kingdom.
Tibbs Tech Ltd is the data controller for personal data processed under this policy in connection with TT UI. The service providers listed in Section 6 (Processors and subprocessors) act as processors (or sub-processors) on our behalf when they handle personal data for us.
For privacy-related requests, contact us at privacy@tibbstech.co.uk.
2. What TT UI is
TT UI is a component registry and documentation service for React UI components, blocks, and templates. Components are distributed primarily through a shadcn-compatible registry and CLI.
- Free tier: Public components and documentation are available without a purchase.
- Paid tiers (Builder, Studio, Foundry): Premium content requires an account, a completed one-time purchase, and (for CLI installs on Builder+) a personal registry token.
This policy explains what personal data we collect when you use the website, create an account, purchase a tier, or access premium registry content.
3. Data we collect
3.1 Account and authentication data (Clerk)
When you sign up or sign in, we use Clerk to manage authentication. Clerk may process:
- Email address and, if you choose OAuth sign-in, profile information from Google or GitHub (such as name and avatar)
- Session identifiers and authentication cookies required to keep you signed in
- Account metadata we store on your user profile, including your purchase tier (
plan) and optional admin roles
We display some of this information on your dashboard (for example, display name, email, and sign-in timestamps).
3.2 Billing and purchase data (Stripe)
If you purchase Builder, Studio, or Foundry, payments are processed by Stripe. Stripe collects payment method details and billing information directly. We receive and store:
- Stripe customer identifier (in Clerk private metadata, server-side only)
- Your current plan tier (in Clerk public metadata, used to gate premium registry access)
We do not store full card numbers on our servers.
3.3 Registry CLI tokens (PostgreSQL)
Builder-tier users and above can create personal registry tokens for CLI access to the premium registry (/api/registry/pro/...). We store in our hosted PostgreSQL database (for example Supabase, Neon, or Vercel Postgres):
- A hashed representation of each token (never the plaintext token after initial display)
- An optional label you provide, your Clerk user id, and timestamps (created, revoked, last used)
The plaintext token is shown once when you create it; you must store it securely in your environment (for example REGISTRY_TOKEN).
3.4 Registry access logs (abuse prevention)
When the premium registry API is called, we collect limited security telemetry to detect abuse (such as shared or leaked CLI tokens) and protect the Pro registry. We do not use this data for marketing or profiling.
Depending on the request, a log entry may include for example:
- Which registry file was requested and whether access was allowed or denied
- How you authenticated (browser session, CLI token, or unknown)
- Your account or token identifier (when authenticated), so we can tie activity to the right subscriber
- Hashed network fingerprints (one-way SHA-256 with a server-controlled salt applied to IP address and user-agent string-not directly readable in our database, but may still be personal data under UK GDPR). The salt is configured via
REGISTRY_ACCESS_LOG_SALTand is not rotated automatically; we may change it for security reasons, which would prevent comparison with older hashes. - An approximate country code from CDN/hosting headers, when available
This telemetry is used only for security, troubleshooting, and abuse investigation. Authorised administrators may view aggregated or recent entries. See Section 3.6 (Technical and hosting logs) for hosting-provider logs, which are separate from this application table.
3.5 Password breach check (Have I Been Pwned)
Some TT UI demos and integrations offer an optional password breach check using the Have I Been Pwned k-anonymity API. This feature is only available when you are signed in and choose to use it.
When you use this feature:
- We do not store your password in our database or logs
- Your password is sent securely over HTTPS to our server only for the duration of the request
- On the server, we compute a SHA-1 hash and send only the first five characters of that hash to the Have I Been Pwned API (k-anonymity model). The full password is never transmitted to third-party services
- We receive a breach result and return it to your browser immediately; no password data is retained after the request completes
We process this data only with your explicit consent, given when you use the breach-check feature. You can avoid this processing entirely by not using flows that trigger the check.
3.6 Product analytics and error tracking (PostHog)
We use PostHog (EU-hosted) to understand how TT UI is used and to monitor client-side errors. PostHog may process:
- Page views and navigation paths on the site
- Custom product events (for example catalog views, install-command copies, checkout steps, sign-up funnel steps, and registry CLI access)
- A pseudonymous browser identifier and, when you are signed in, your Clerk user id after we call
identify - Client-side JavaScript exception data when errors occur in the browser
PostHog ingestion is proxied through our domain (/ingest). We use this data to improve the product and billing flows, not for third-party advertising.
3.7 Technical and hosting logs
Our hosting provider (for example Vercel) may automatically process standard technical data-such as request timestamps, URLs, referrer, and IP addresses-in server or CDN logs for reliability and security. Those logs are controlled by the hosting provider, operate under their retention practices, and are separate from the application-level registry access logs described in Section 3.4 (Registry access logs) (where we store hashed fingerprints, not raw IPs).
3.8 Cookies and similar technologies
We use cookies and similar browser storage where needed to run TT UI and measure product usage. We do not use marketing or advertising cookies.
Cookies on the TT UI website
| Cookie / source | Purpose | Typical duration |
|---|---|---|
| Clerk (authentication cookies, e.g. session cookies) | Keep you signed in and secure your account | Session / per Clerk configuration |
PostHog (analytics cookies, e.g. ph_*) | Pseudonymous session and product analytics (EU-hosted) | Per PostHog configuration |
sidebar_state (first-party) | Remember whether the documentation sidebar is expanded or collapsed | Up to 7 days |
We do not set other first-party cookies for advertising.
Similar technologies (not cookies)
- Theme preference - stored in your browser’s localStorage (via
next-themes) so light/dark/NASA theme persists on return visits. This is not shared with third-party advertisers.
When you pay or manage billing (Stripe)
Subscriptions use Stripe Checkout and the Stripe Customer Portal on Stripe’s own website. Stripe may set its own cookies on stripe.com (for example fraud prevention and checkout functionality). We do not embed Stripe payment cookies on TT UI pages during normal browsing.
OAuth sign-in (Google / GitHub)
If you sign in with Google or GitHub, those providers may set cookies during the short OAuth redirect flow, in addition to Clerk’s cookies on our site. See their privacy policies for details.
Hosting
Our hosting provider (for example Vercel) may use essential infrastructure cookies in some environments (for example preview deployments). These support delivery and security of the site, not marketing.
4. What we do not collect
- We do not run third-party marketing or advertising analytics (for example Google Ads conversion tracking).
- Installing free public components via
npx shadcn@latest add @tt-ui/...from our static registry does not require a TT UI account, and we do not tie those installs to your identity in our database. - We do not store directly readable (raw) IP addresses or full user-agent strings in our application registry access logs-we store one-way salted hashes instead (see Section 3.4 (Registry access logs)). Those hashes may still be personal data under UK GDPR.
5. Why we use your data (lawful bases)
Under UK GDPR, we rely on the following bases as applicable:
| Purpose | Typical lawful basis |
|---|---|
| Providing accounts, Pro access, and registry downloads | Contract (performance of our agreement with you) |
| Processing payments via Stripe | Contract and legal obligation (tax/records where applicable) |
| Registry access logging and token abuse prevention | Legitimate interests (security and fraud prevention), balanced against your rights |
| Product analytics and error monitoring (PostHog) | Legitimate interests (improving and securing the service), balanced against your rights |
| Optional password breach check (when you use it) | Consent |
When we handle privacy rights requests (see Section 11 (Your rights)), we do so where required by applicable law.
6. Processors and subprocessors
We use trusted service providers who process data on our behalf:
| Provider | Role | Privacy information |
|---|---|---|
| Clerk | Authentication and user profiles | Clerk Privacy |
| Stripe | Payments and billing | Stripe Privacy |
| Our database host (e.g. Supabase, Neon, Vercel Postgres) | Registry tokens and access logs | Our database host’s privacy policy (depends on deployment) |
| Vercel (or similar) | Hosting and CDN | Vercel Privacy |
| PostHog | Product analytics and error tracking (EU) | PostHog Privacy |
| Have I Been Pwned | Password breach range API | HIBP FAQ |
| Google / GitHub (via Clerk OAuth) | Optional social sign-in | Respective provider privacy policies |
We require processors to protect personal data under contract where applicable.
We may add or change subprocessors from time to time as our service evolves. When changes are material, we will update this Privacy Policy (and, where appropriate, notify you by other reasonable means).
7. Data sharing
We do not sell your personal data.
We share personal data only with the processors listed in Section 6 (Processors and subprocessors), and only where necessary to operate TT UI (for example authentication, payments, hosting, registry security, or the optional breach check when you use it). Those providers process data on our instructions, not for their own independent marketing purposes.
We do not share your personal data with third parties for their own advertising or data-brokerage.
8. International transfers
Personal data may be processed in the United Kingdom (where Tibbs Tech Ltd operates) and transferred to other countries when we use the subprocessors listed in Section 6. In particular:
- Clerk (authentication and profiles), Stripe (payments), Vercel or a similar host (website and API hosting), and Google / GitHub (when you use OAuth sign-in) are companies that may process data in the United States and in other jurisdictions where they operate.
- Hosted PostgreSQL (for example Supabase, Neon, or Vercel Postgres) stores registry tokens and access logs in the region configured for our production database (for example EU or US, depending on deployment settings).
- Have I Been Pwned receives only the first five characters of a SHA-1 password hash when you use the optional breach check (see Section 3.5 (Password breach check)); it may process that request outside the UK.
We do not control every subprocessors’ exact data centres or routing. For more detail on where a provider stores or processes data, see that provider’s privacy policy and documentation.
Where a provider offers regional hosting or data residency options (for authentication, payments, database hosting, or similar), we configure those according to our production setup and may change regions as our infrastructure evolves.
When personal data is transferred outside the UK, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or equivalent mechanisms recognised under UK law, including contractual protections offered by our processors where applicable.
9. How long we keep data
We retain personal data only as long as necessary for the purposes described in this policy, including providing the service, meeting legal obligations, resolving disputes, and protecting TT UI from abuse.
| Data type | Retention (indicative) |
|---|---|
| Account data (Clerk) | While your account is active; deleted or anonymised after a reasonable period following account closure, subject to legal retention needs |
| Billing records (Stripe / our metadata) | As required for tax, accounting, and dispute resolution (typically up to 7 years where applicable) |
| Registry CLI tokens | Until you revoke them in the dashboard or we disable them; revoked tokens remain as hashed records until purged from our database |
| Registry access logs | Up to 90 days for abuse investigation and security, unless a longer period is required for an active incident or legal hold |
| Hosting / CDN logs | Per our hosting provider’s default retention (separate from our application access-log table) |
We may update retention periods; material changes will be reflected in this policy.
Deletion requests and account closure
If you close your account or ask us to delete your personal data (see Section 11 (Your rights)), we will:
- Delete or anonymise data in systems we control (for example registry tokens and related access logs tied to your account), within a reasonable period-typically within 30 days unless a longer period is required by law or needed to resolve a dispute
- Ask or rely on processors (Clerk, Stripe, and our database host) to delete or anonymise data they hold on our instructions, in line with their policies and our agreements
- Revoke active registry CLI tokens so they can no longer access the Pro registry
Some data may remain longer where we must keep it (for example billing records for tax) or where deletion is not technically immediate.
Backups
Our database and hosting providers may keep backup copies for disaster recovery. Those backups can contain personal data for a limited period after deletion from live systems (for example until backup rotation overwrites them-often on the order of days to weeks, depending on the provider). During that window, data is not used for ordinary service operation.
10. Security
We implement measures appropriate to the risk, including:
- Storing registry tokens only as cryptographic hashes (with an optional server-side pepper)
- Storing only one-way salted hashes (not directly readable IP addresses or user-agents) in the application abuse telemetry table
- Restricting admin access-log views to authorised administrators
- Using HTTPS for data in transit
No method of transmission or storage is 100% secure; we cannot guarantee absolute security.
11. Your rights
If you are in the UK or EEA, you may have the right to:
- Access personal data we hold about you
- Rectify inaccurate data
- Erase data in certain circumstances
- Restrict or object to processing in certain circumstances
- Data portability where applicable
- Withdraw consent where processing is based on consent
- Lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk
To exercise your rights, email privacy@tibbstech.co.uk. We may need to verify your identity.
12. Children
TT UI is not directed at children. We do not knowingly collect personal data from anyone under the age of 13, or under 16 where a higher age of digital consent applies in their jurisdiction.
If you believe a child has provided us personal data, contact us at privacy@tibbstech.co.uk and we will take appropriate steps to delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page indicates when it was last revised. Continued use of TT UI after changes constitutes notice of the updated policy where permitted by law.