Spotcheck
How it works

Privacy

Spotcheck is a free calculator. We collect as little as we can get away with and don’t sell anything to anyone. This page describes what actually happens when you use the site, in plain language. Last updated 2026-05-09.

What we collect

  • Form inputs. When you submit an estimate we receive everything you typed: postcode, annual electricity spend or kWh, solar and battery sizes, hot-water type, EV usage. Nothing identifies you personally.
  • IP address.Briefly, for per-IP rate limiting on the estimator (so one user can’t burn compute for everybody else). We don’t store it alongside your form data.
  • CAPTCHA token. Cloudflare Turnstile mints a short-lived token when you solve the challenge; we send it to Cloudflare to verify and discard it. Turnstile is designed to avoid identifying users — it does not use tracking cookies.
  • Anonymous page views. Vercel Analytics records aggregate page-view counts for performance and traffic monitoring. It does not use cookies and does not identify individuals.
  • Telemetry. We collect operational traces and logs — request timing, error rates, that kind of thing. No form contents.

Cookies

Spotcheck doesn’t use tracking cookies, third-party advertising cookies, or session cookies for marketing. We do remember your last form submission on your own device so you don’t have to re-enter it next time — that information never leaves your browser.

How long we keep things

  • Estimate jobs. Cached for 24 hours, then automatically deleted.
  • Shared estimate links (e.g. /s/<slug>). Stored in our database for as long as you keep them shared. Email john@johnmerchant.dev if you want one removed.
  • Rate-limiter records. Hashed IP + hour-window counters. Expire from cache after one hour.

Who else sees this data

  • Cloudflare — DNS, CAPTCHA, and edge proxy for the API.
  • Vercel — hosts the website and runs the cookieless analytics endpoint.
  • Our hosting provider — runs the backend that performs the simulation.
  • Our observability provider — receives operational telemetry (timing, error rates) from the backend.

We don’t sell, share, or rent your inputs to any advertiser, retailer, or affiliate network.

Your rights

Under the Australian Privacy Act 1988 you can ask for a copy of any personal information we hold about you, or ask us to delete it. Because we don’t store identifying information alongside form submissions there’s usually nothing to retrieve, but you can email john@johnmerchant.devand we’ll respond within a reasonable time.

Changes

If we change what we collect or how it’s handled, we’ll update this page and bump the “last updated” date at the top.