Privacy Policy
Last updated: 2026-04-14
Receiptflow Ltd · UK GDPR & Data Protection Act 2018 · Effective: 14 April 2026
- ICO Registration: ZC120881
- Privacy Contact: privacy@receiptflow.co
1. Who We Are & Our Dual Role
Receiptflow Ltd (Company No. 15992753, "we", "us") is a UK-based software company providing automated financial data extraction services. Our registered office is at Office 9 Unit B, Madison Place, Northampton Road, M40 5AG, England.
Our dual role under UK GDPR:
- Data Controller: For data we collect about you as our customer — including your name, email address, billing information, and account usage data — we are the Data Controller. We determine the purposes and means of processing this data.
- Data Processor: For financial documents and the personal data they contain that you upload to the platform — including your clients' names, addresses, and transaction data — we act as your Data Processor. You (the Customer) are the Data Controller for this data, and we process it solely on your instructions.
This distinction is critical and is governed by our Data Processing Addendum (DPA), which forms part of our Terms of Service.
2. Data We Collect as Controller (Your Account Data)
| Data Category | Examples | Legal Basis (UK GDPR) | Retention |
|---|---|---|---|
| Identity & Contact | Name, email address, company name | Art. 6(1)(b) — Contract performance | Duration of account + 6 years |
| Billing Data | Invoice history, payment method (held by Stripe) | Art. 6(1)(b) — Contract; Art. 6(1)(c) — Legal obligation | 7 years (HMRC requirement) |
| Usage & Log Data | Login timestamps, feature usage, API call logs | Art. 6(1)(f) — Legitimate interests (security, improvement) | 13 months rolling |
| Support Communications | Emails, chat transcripts | Art. 6(1)(b) — Contract performance | 3 years from last contact |
| Cookie & Analytics Data | Session data, page views (see Cookie Policy) | Art. 6(1)(a) — Consent | See Cookie Policy |
3. Customer Data — Our Role as Processor
When you upload financial documents to Receiptflow, those documents may contain personal data about your clients, suppliers, or employees (names, addresses, VAT numbers, bank details, etc.). We process this data only on your instruction and only for the purpose of providing the extraction service.
We do not: sell this data; use it for advertising; analyse it for our own commercial purposes; or use it to train machine learning models without your explicit written consent.
We do not retain document images submitted to our OCR sub-processor (Microsoft Azure Document Intelligence) beyond the duration of the individual API call.
4. Data Sharing & Sub-processors
We share data only where necessary to provide the service. A full list of our sub-processors (infrastructure and technology providers who process data on our behalf) is available on request by emailing privacy@receiptflow.co. Key providers are:
| Provider | Purpose | Data | Location |
|---|---|---|---|
| Amazon Web Services | Cloud infrastructure & storage | All Customer Data | UK (eu-west-2, London) |
| Supabase | Database & authentication | Account & structured data | EU (via AWS) |
| Microsoft Azure | OCR / document processing | Document images (not retained) | EU (North Europe) |
| Stripe | Payment processing | Billing data only | EU / UK |
5. International Transfers
Our primary processing is UK-based (AWS London Region). Where sub-processors involve transfers outside the UK, we ensure appropriate safeguards are in place under UK GDPR Chapter V, including UK International Data Transfer Agreements (IDTAs) or equivalent adequacy arrangements. Details are available in our DPA and on request from privacy@receiptflow.co.
6. Your Rights as a Data Subject
| Right | Description |
|---|---|
| Right of Access | Request a copy of personal data we hold about you (as Controller). |
| Right to Rectification | Request correction of inaccurate personal data. |
| Right to Erasure | Request deletion of your personal data where lawful basis no longer applies. |
| Right to Restriction | Request we restrict processing in certain circumstances. |
| Right to Portability | Receive your account data in a structured, machine-readable format. |
| Right to Object | Object to processing based on legitimate interests. |
To exercise any right, email privacy@receiptflow.co. We will respond within 30 days. If you are dissatisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
7. Security
We implement appropriate technical and organisational measures to protect personal data, including AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, and regular security testing. Full details are at receiptflow.co/security.
8. Changes to This Policy
We will notify you of material changes to this Privacy Policy by email (to the address on your account) at least 30 days before the change takes effect. The current version is always available at receiptflow.co/legal/privacy.
Version 1.0
