Privacy Policy
Effective date: 26 April 2026
Last updated: 26 April 2026
This is the privacy policy for Fincharta, a service operated by Fincharta Limited (Company No. 16401198), registered office 124 City Road, London, EC1V 2NX ("we", "us", "Fincharta"). We are the data controller for the personal information described in this policy.
We take your privacy seriously. This policy explains what we collect, why, who we share it with, how long we keep it, and the rights you have over your data. We have tried to write it in plain English.
1. Who this policy applies to
- Visitors to our websites at fincharta.co.uk and fincharta-brochure.onrender.com
- Anyone who creates an account on our portal
- Anyone who uploads bank statement data for analysis
- Anyone who emails hello@fincharta.co.uk or otherwise contacts us
2. What we collect
2.1 Information you give us directly
When you create an account: email address (sign-in and service emails), name (optional), business name and industry classification (used to format reports), authentication credentials (managed by Clerk; we do not store your password).
When you upload a bank statement: the PDF or CSV file you upload, the transactions extracted (date, amount, description, balance), any categorisation or annotation you provide.
When you contact us: contents of your message and any attachments, your email address.
2.2 Information collected automatically
IP address (rate limiting and security), browser type and version (compatibility), approximate location based on IP (currency defaults; no precise geolocation stored), pages visited and actions taken on the service (product improvement and security monitoring), timestamps of activity.
We do not use behavioural advertising trackers. We do not sell, share, or rent personal information to advertisers.
2.3 Information from third parties
From Stripe (our payment processor): billing email, payment method type — we never see your card number. From Clerk (our authentication provider): your verified email and authentication metadata.
3. Why we collect it (lawful basis)
UK GDPR requires us to identify a "lawful basis" for each type of processing. Ours are:
| What we do | Why | Lawful basis |
|---|---|---|
| Operate your account | Deliver the service you signed up for | Performance of contract |
| Process bank statement data | Produce the financial reports you request | Performance of contract |
| Take payment | Bill for the subscription you purchased | Performance of contract |
| Send service emails | Deliver features you signed up for | Performance of contract |
| Detect and prevent fraud | Protect the service and other customers | Legitimate interests |
| Tax / accounting / legal compliance | Required by law | Legal obligation |
| Send marketing emails (only if you opt in) | Tell you about new features | Consent |
You have the right to object to processing based on legitimate interests. See section 8.
4. Sensitive financial data
Bank statement data is sensitive. We treat it as such:
- We process bank statements only to produce the reports you request and to operate features you choose to use
- We do not use your transaction data to train or improve any AI model, ours or any third party's
- We do not share your transaction data with credit reference agencies, advertising networks, or anyone not strictly necessary to deliver the service
- The full text of bank statements is encrypted at rest and in transit, and deleted automatically 30 days after your last interaction with the report it produced (or sooner, if you delete it manually)
- Our employees do not access your transaction data unless you specifically grant access for support (e.g., when responding to a support ticket where you have shared a report ID)
5. Who we share data with (data processors)
We use a small number of carefully selected third-party services. Each one is a "data processor" — they process data on our instructions, only for the purposes we tell them to, under written contracts.
| Provider | Purpose | Data they receive | Where stored |
|---|---|---|---|
| Clerk Inc. | User authentication | Email, hashed password, auth tokens | United States (UK SCCs) |
| Supabase Inc. | Database, file storage, backend | All application data including reports and bank statement files | United Kingdom (eu-west-2) |
| Vercel Inc. | Application hosting and edge delivery | Server logs, request metadata | Multi-region (UK and EU edge nodes) |
| Anthropic, PBC | LLM inference for plain-English summaries | Aggregated, depersonalised report summaries — no transaction-level detail, no PII | United States (under SCCs) |
| Stripe Payments UK Ltd. | Payment processing | Billing email, subscription metadata. Card numbers never touch our servers. | United Kingdom and Ireland |
| Resend, Inc. | Transactional email | Email address, message content | United States and EU regions |
| Plausible Insights OÜ | Privacy-friendly analytics (no cookies, no personal data, IPs anonymised at source) | Anonymised page-view counts only | European Union |
| Sentry, Inc. | Error tracking | Application errors with PII scrubbed at source | United States and EU regions |
If we add a new processor, we update this list before they begin processing your data. We do not transfer personal data outside the UK or EEA except to the providers listed above, under appropriate safeguards (UK Standard Contractual Clauses or UK Adequacy Regulations).
6. How long we keep it
| Type of data | Retention period |
|---|---|
| Account information (email, business name) | While your account is active, plus 30 days after deletion |
| Bank statement files (PDFs/CSVs you upload) | 30 days from last interaction, then automatically deleted |
| Generated reports | While your account is active, plus 30 days after deletion |
| Billing and payment records | 7 years from end of subscription (UK tax law) |
| Support email correspondence | 3 years from last contact |
| Server access logs | 90 days |
| Authentication logs (Clerk) | 30 days |
When the retention period ends, data is permanently deleted from active systems within 30 days. Backup copies are deleted within 90 days of active deletion.
7. Security
- Encryption in transit — all data flows over HTTPS/TLS 1.2+
- Encryption at rest — Supabase encrypts all stored data with AES-256
- Authentication and access control — Clerk handles password hashing (bcrypt) and session security; database access is gated by Row Level Security policies that prevent any user reading another user's data
- Network isolation — application services communicate over private networks where possible
- Vulnerability management — automated dependency scanning runs on every deployment; we apply security patches promptly
- Limited employee access — only with two-factor authentication, only when strictly necessary for support
- Incident response — documented response plan; if a breach risks your rights we will notify you and the ICO within 72 hours as required by UK GDPR
8. Your rights
UK GDPR gives you several rights over your data. Exercise any of them by emailing privacy@fincharta.co.uk.
- Right of access — copy of all personal data we hold (we respond within 30 days)
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — delete your data, unless we have a legal obligation to keep it. You can self-serve in Settings → Danger Zone
- Right to data portability — your data in machine-readable format (CSV/JSON). You can also self-serve in Settings
- Right to object — object to processing based on legitimate interests
- Right to restrict processing — pause processing while a dispute is resolved
- Right to withdraw consent — for marketing emails, anytime
- Right not to be subject to automated decisions — we do not make automated decisions with legal or similarly significant effects about you
- Right to complain — to the ICO. See section 11.
We may need to verify your identity before fulfilling a rights request, to make sure we are not giving someone else's data away.
9. Cookies and tracking
See our separate Cookie Policy. In short: we use cookies necessary for the service to work (authentication, security) and nothing else. We do not use advertising cookies, tracking pixels, or third-party behavioural advertising.
10. Children's data
Fincharta is not directed at, or intended for, children under 18. We do not knowingly collect data from anyone under 18. If you believe we have collected such data, please email privacy@fincharta.co.uk and we will delete it.
11. Complaints
If you are unhappy with how we have handled your data, please contact us first at privacy@fincharta.co.uk. We aim to resolve complaints within 30 days.
You also have the right to complain to the UK supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
0303 123 1113
Our ICO registration number is ZB985385.
12. Changes to this policy
We may update this policy from time to time. When we do, we will post the new version at this URL, update the "Last updated" date at the top, and email you about material changes at least 30 days before they take effect.
13. Contact us
For privacy questions or to exercise your rights:
- Email: privacy@fincharta.co.uk
- Post: Privacy Officer, Fincharta Limited, 124 City Road, London, EC1V 2NX
For all other questions: hello@fincharta.co.uk