Privacy Policy
Last updated: 14 May 2026 · Effective: 14 May 2026
This Privacy Policy explains how Scarborough BC Ltd ("we", "us", "our") — trading as CashflowOS — collects, uses, stores and shares personal information when you use the service available at cashflowwiz.co.uk. We are committed to compliance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.
For the purposes of UK data protection law, we are the data controller of personal data about our customers (you) and your account users. We act as a data processor in respect of personal data that you put into the service about third parties (for example, customer payees that appear in your bank transactions) — see our Data Processing Addendum.
1. Contact details
Scarborough BC Ltd
Company number: 15051613
Registered office: [ADDRESS PENDING — edit /src/lib/legal.ts]
ICO registration: [ICO REGISTRATION PENDING — register at ico.org.uk first]
Privacy enquiries: privacy@cashflowos.app
Security issues: security@cashflowos.app
2. What personal data we collect
We collect the following categories:
Information you give us
- Account data: name, email address, password (stored as a bcrypt hash — never in plain text), workspace name, billing address, and the role you have within a workspace.
- Entity data: business names, legal names, company numbers, VAT numbers, and any colour or icon choices you set.
- Bank account metadata: account name, last four digits of account number and sort code (you choose what to enter — full numbers are never required), bank name.
- Financial transaction data: dates, amounts, descriptions, counterparties, categories and tags for the transactions you create manually, import from statement files, or sync via Open Banking.
- Recurring items: the rules you define for fixed and variable payments and income.
- Support correspondence: the content of support tickets and messages you send us.
- Uploaded files: bank statements you upload (CSV / PDF) are stored encrypted at rest until you delete them.
Information from third parties
- Open Banking providers: when you authorise a bank connection through TrueLayer, we receive transactions, balances, account names and sort/IBAN information from your bank. We never see your bank login credentials.
- Payment processor: when you subscribe, Stripe shares billing details and payment outcomes with us; we never see your full card number.
- Email provider: Brevo reports delivery / open events back to us when we send you a transactional email.
Information collected automatically
- Technical data: IP address, browser/device user agent, pages visited, timestamps. Stored in server access logs for security and abuse detection.
- Audit log: a record of writes made to financial data — who changed what, when, from which IP.
- Session cookie: a single strictly-necessary cookie (
cfos_session) to keep you signed in. See our Cookie Policy.
3. Purposes and legal bases
We process personal data only where we have a lawful basis under UK GDPR Article 6:
| Purpose | Legal basis |
|---|---|
| Providing the service (managing accounts, transactions, forecasts) | Contract — Article 6(1)(b) |
| Processing Open Banking data pulled from your bank | Your explicit consent given to your bank under PSD2, and contract performance |
| AI categorisation and forecasting (Anthropic) | Your consent (you can disable AI features in settings) |
| Subscription billing (Stripe) | Contract — Article 6(1)(b) |
| Email notifications | Contract (transactional) and consent (marketing; opt-in only) |
| Security, abuse prevention, audit logging | Legitimate interests — Article 6(1)(f) — namely keeping the service secure and reliable. Necessary, proportionate, low-impact. |
| Compliance with legal obligations (tax records, court orders) | Legal obligation — Article 6(1)(c) |
4. Automated decision-making and AI
We use AI (provided by Anthropic) for three purposes:
- Transaction categorisation — to suggest a category for each transaction.
- Pattern labelling — to clean up merchant names and identify recurring patterns.
- "Can I spend this?" advisor — to give a Green / Amber / Red verdict on a proposed spend.
These are suggestions, not decisions that produce legal or similarly significant effects. You can override every AI suggestion, and AI verdicts are not financial advice. None of our AI output triggers automatic transfers or any irreversible action. You may disable AI features in your settings if you prefer manual categorisation.
When we send data to Anthropic, we send only transaction descriptions, amounts, dates, and your category names. We do not send: full account numbers, IBANs, sort codes, your name or email, or any direct identifiers. Anthropic does not use API requests to train its models.
5. Who we share data with (sub-processors)
We use the following sub-processors. Each one is contractually bound to UK GDPR-equivalent terms and is only allowed to process data on our instructions.
| Provider | Purpose | Region |
|---|---|---|
| Hetzner Online GmbH | Application hosting + database hosting | European Union (Germany / Finland) |
| TrueLayer Limited | UK Open Banking — pulls transactions, balances and account info from your bank with your explicit consent | United Kingdom |
| Anthropic, PBC | AI categorisation of bank transactions, can-I-spend forecasting, pattern labelling | United States |
| Stripe Payments UK Ltd | Subscription billing + card payments | United Kingdom + United States |
| Sendinblue / Brevo | Transactional email (welcome, shortage alerts, support replies) | European Union (France) |
| Cloudflare, Inc. | DNS + CDN (when enabled) | Global edge — UK / EU points of presence for our region |
For sub-processors outside the UK (currently Anthropic in the United States), transfers are protected by UK-approved Standard Contractual Clauses with the additional safeguards required by the UK International Data Transfer Addendum.
We will give reasonable advance notice of any new sub-processor for paying customers and you may terminate your subscription with a pro-rata refund if you object.
6. How long we keep data
- Account data: until you delete your account, then 30 days in soft-delete state, then permanent deletion.
- Financial transactions: as long as your account is active. After account deletion, retained for up to 7 years in a restricted-access archive to satisfy UK tax and accounting record-keeping obligations (HMRC requires businesses to keep records for at least 6 years).
- Uploaded bank statement files: 90 days after import, then auto-deleted unless you have explicitly opted to retain them.
- AI analysis logs (prompts, responses, token counts): 90 days, then purged.
- Audit log entries: 2 years.
- Server access logs: 30 days.
- Bank connections (TrueLayer): consent automatically expires 90 days after connection per UK Open Banking rules. We delete cached tokens on expiry.
- Support tickets: 3 years from closure.
7. Your rights
Under UK GDPR you have the right to:
- Be informed about what we do with your data — this policy.
- Access — get a copy of the personal data we hold about you. Use the "Export my data" button on your settings page or email privacy@cashflowos.app.
- Rectification — correct inaccurate data.
- Erasure — ask us to delete your data, subject to the legal retention periods above.
- Restriction — limit our processing in certain cases.
- Portability — receive your data in a machine-readable format (we provide JSON + CSV exports).
- Object — to processing based on legitimate interests; to direct marketing at any time.
- Withdraw consent — at any time, for AI features or marketing emails.
- Complain to the ICO — the UK Information Commissioner's Office at ico.org.uk/make-a-complaint or 0303 123 1113.
We respond to rights requests within one month. There is no charge unless the request is manifestly unfounded or excessive.
8. Security
We take the security of your financial data seriously. Measures include:
- TLS 1.2+ in transit for all traffic.
- Bcrypt password hashing with a strong work factor.
- Per-workspace row-level isolation in the database.
- Encrypted-at-rest disk volumes.
- Uploaded statement files stored under restricted file permissions.
- Audit log of every write to financial data.
- Daily database backups with 30-day retention.
- Minimum-privilege staff access; production secrets held in encrypted settings.
- Optional two-factor authentication for paid tiers (Business and Agency).
Report a security issue to security@cashflowos.app. We will respond within 72 hours and publicly thank responsible disclosure (with permission).
9. Children
The service is for users aged 18 or over. We do not knowingly collect data from children. If you believe a child has provided us data, contact privacy@cashflowos.app and we will delete it.
10. Changes to this policy
We will give you at least 14 days' notice (via email and an in-app banner) before any material change. The current version date is shown at the top. Continued use of the service after a change constitutes acceptance.
11. Open Banking — specific terms
When you connect a bank through TrueLayer, you grant your bank permission (under PSD2) to share read-only data with us for 90 days. We never see your bank login credentials. We never initiate payments. We will only use the data for the cashflow management features you signed up for. You may revoke consent at any time from Bank connectionsor directly from your bank's app.
12. Cookies
We use a single strictly-necessary cookie to keep you signed in. We do not use advertising or tracking cookies at the date of this policy. See our Cookie Policy for details.