Contents
- 1. Data Controller
- 2. What We Collect
- 3. How We Use Your Data
- 4. Legal Basis for Processing
- 5. Third-Party Processors
- 6. Open Banking & TrueLayer
- 7. HMRC & Financial Records
- 8. AI Processing
- 9. Data Retention
- 10. Security
- 11. International Transfers
- 12. Your Rights
- 13. Cookies
- 14. Changes to This Policy
- 15. Contact & ICO
1 Data Controller
FinOwl is operated by Polsia Ltd, registered in England and Wales. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Polsia Ltd is the data controller for personal data processed through the FinOwl platform.
If you have any questions about this policy or how we handle your data, contact our data team at: finowl@polsia.app
2 What We Collect
We collect the following categories of personal and financial data:
Account information
- Email address (required to create and authenticate your account)
- Name (optional, used for personalisation)
- Account creation date and last login timestamp
- Subscription status and payment history (via Stripe)
Financial data (via Open Banking)
- Bank account details: account name, sort code, account number (masked), balance
- Transaction history: dates, amounts, descriptions, merchant names, transaction references
- Transaction categories and VAT classifications applied by our AI
- Your manual corrections and notes on transactions
Uploaded documents
- Receipts and invoices uploaded for reconciliation (images and PDFs)
- Extracted data from those documents (amounts, dates, supplier names, VAT amounts)
Usage and technical data
- IP address and approximate location
- Browser type and version, operating system
- Pages visited, features used, time on platform
- Session identifiers and authentication tokens
- Error logs and diagnostic data
Communications
- Emails you send to our support address
- Feedback or feature requests you submit
3 How We Use Your Data
| Purpose | Data Used |
|---|---|
| Providing and operating the FinOwl service | Account info, financial data, uploaded documents |
| Authenticating your account via email login links | Email address |
| AI-powered transaction categorisation using HMRC UK business categories | Transaction descriptions, amounts, merchants |
| VAT calculations and MTD preparation | Transaction data, categories, your VAT settings |
| Receipt and invoice OCR extraction | Uploaded document images |
| HMRC audit trail generation | All financial data changes and actions |
| Processing subscription payments | Email address, payment details (handled by Stripe) |
| Sending service notifications and account updates | Email address |
| Analytics to improve the platform | Anonymised usage data |
| Responding to support enquiries | Email and any information you provide |
| Fraud prevention and security | IP address, usage patterns |
| Complying with legal obligations | Relevant data as required by law |
4 Legal Basis for Processing
Under UK GDPR, we process your data on the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance (Article 6(1)(b)) |
| Providing bookkeeping and financial tools | Contract performance (Article 6(1)(b)) |
| Processing financial data for categorisation and VAT | Contract performance (Article 6(1)(b)) |
| Billing and payment processing | Contract performance (Article 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interests (Article 6(1)(f)) |
| Platform analytics and improvement | Legitimate interests (Article 6(1)(f)) |
| Marketing communications (if opted in) | Consent (Article 6(1)(a)) |
| Analytics cookies (with consent) | Consent (Article 6(1)(a)) |
| Legal and regulatory compliance | Legal obligation (Article 6(1)(c)) |
Where we rely on legitimate interests, we have balanced those interests against your rights and concluded they do not override your interests or fundamental rights.
5 Third-Party Processors
We share data with the following trusted third-party processors, each bound by data processing agreements in accordance with UK GDPR:
Stripe (Payment processing)
We use Stripe, Inc. to process subscription payments. Stripe collects your payment card details directly — FinOwl never sees or stores your full card number. Stripe stores your email address, payment method details, and billing history as required to process subscriptions.
TrueLayer (Open Banking)
We use TrueLayer Ltd, an FCA-authorised Account Information Service Provider (AISP) (FCA Registration No. 793171), to facilitate Open Banking connections to your bank accounts. TrueLayer retrieves your transaction data on your behalf and transmits it to FinOwl. TrueLayer acts as a separate data controller for the Open Banking consent flow.
OpenAI (AI transaction categorisation)
Transaction descriptions are processed by OpenAI, LLC to power AI-based categorisation. We send transaction description text (not your personal identifiers) to OpenAI's API. OpenAI processes this data under our API agreement, which includes data processing terms prohibiting training on API data by default.
Neon (Database hosting)
Your financial data and account information is stored in a PostgreSQL database hosted by Neon, Inc. Data is stored in the EU (Frankfurt region) with encryption at rest.
Cloudflare R2 (Document storage)
Receipts and invoices you upload are stored using Cloudflare's R2 object storage service. Files are stored with access controls limiting retrieval to authenticated users only.
Render (Cloud hosting)
FinOwl's application servers are hosted on Render, Inc. infrastructure. Application logs and transient data may be processed in Render's data centres.
Polsia Analytics (First-party analytics)
We use a privacy-respecting, first-party analytics system operated by Polsia Ltd to understand how users find and use FinOwl. No data is shared with third-party advertising networks.
6 Open Banking & TrueLayer
When you connect a bank account to FinOwl, we use Open Banking infrastructure regulated by the Financial Conduct Authority (FCA). Key points:
- Read-only access only: FinOwl and TrueLayer can only read your transaction data — they cannot initiate payments, move money, or modify your bank account in any way.
- Your explicit consent: You must actively authorise the connection in your bank's own app or website. FinOwl never receives your banking username or password.
- Revocable at any time: You can revoke Open Banking access at any time either through FinOwl's settings or directly through your bank. Revoking consent stops new data from being imported but does not delete historical data already stored in FinOwl.
- Consent period: Open Banking connections typically expire every 90 days, after which you will be prompted to reauthorise.
- Data scope: We access account identification details (sort code, account number, account name) and transaction history (dates, amounts, merchant names, references) going back up to 24 months depending on your bank's availability.
7 HMRC & Financial Records
FinOwl processes your financial data to help you maintain records in compliance with HMRC's Making Tax Digital (MTD) requirements. In this context:
- We generate and store an immutable audit trail of all financial data changes, as required for HMRC compliance purposes. This audit trail is retained for a minimum of 6 years (the statutory HMRC retention period).
- We do not share your financial data with HMRC directly unless required to by law (e.g., in response to a valid legal order).
- You remain responsible for the accuracy and completeness of information submitted to HMRC. FinOwl is a record-keeping aid, not a tax agent.
- If you export data from FinOwl for HMRC submission, that export represents your data at a point in time and is your responsibility to verify.
8 AI Processing of Financial Data
FinOwl uses AI (powered by OpenAI's API) to categorise your bank transactions into HMRC-compliant business categories and to extract data from receipts and invoices.
What data is sent to AI
- Transaction descriptions, amounts, and dates (without your name or account identifiers)
- Receipt and invoice images (for OCR extraction)
What we do not send to AI
- Your name, email address, or other personal identifiers
- Your bank account number or sort code
- Aggregated balance information
Automated decision-making
AI categorisation constitutes automated processing that affects how your transactions are classified. This is not a legally significant automated decision — you retain full ability to review and correct every categorisation. We do not use AI to make decisions about your creditworthiness, eligibility for services, or any other significant legal matter.
Right to contest AI decisions
You have the right to contest any AI-generated categorisation and request a manual review. Use the correction tools within the dashboard or contact us at finowl@polsia.app.
9 Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information (email, name) | Duration of account + 90 days post-cancellation | Service provision; data export window |
| Financial transaction records | 6 years from date of transaction | HMRC statutory requirement |
| HMRC audit trail logs | 6 years minimum | HMRC statutory requirement |
| Uploaded receipts & invoices | 6 years from upload date | HMRC statutory requirement |
| Subscription and payment records | 7 years | Accounting and tax compliance |
| Usage analytics (anonymised) | 26 months | Product improvement |
| Support email correspondence | 3 years | Service quality and dispute resolution |
| Security and access logs | 12 months | Security monitoring and incident response |
After the applicable retention period, data is securely deleted or anonymised. Note that the 6-year HMRC statutory requirement means we must retain financial records even after account cancellation. You will be informed of this when you cancel your account, and you may request a full data export before deletion.
10 Security
We implement appropriate technical and organisational measures to protect your data:
- Encryption in transit: All data transmitted between your browser and FinOwl is encrypted using TLS 1.2 or higher.
- Encryption at rest: Database backups and stored documents are encrypted at rest.
- Authentication: Passwordless email login with short-lived tokens. No passwords means no password database to breach.
- Access controls: Internal access to production data is restricted to authorised personnel only, with access logs maintained.
- Parameterised queries: All database interactions use parameterised SQL to prevent SQL injection attacks.
- Dependency monitoring: Third-party packages are audited for known vulnerabilities.
If you discover a security vulnerability in FinOwl, please report it to finowl@polsia.app. We take all security reports seriously and aim to respond within one business day.
See our full Security & Compliance page for more details.
11 International Data Transfers
Your data may be processed by third-party providers in countries outside the UK. Where this occurs, we ensure appropriate safeguards are in place:
- OpenAI (USA): Transfers are covered by Standard Contractual Clauses (SCCs) and OpenAI's UK Addendum under UK GDPR Article 46.
- Stripe (USA): Transfers are covered by SCCs and Stripe's UK data processing agreement.
- Render (USA): Application servers. Transfers are covered by SCCs.
- Neon (EU — Frankfurt): Primary database storage remains within the EEA; no additional transfer mechanism required.
- Cloudflare R2: Document storage. Cloudflare is bound by SCCs for any non-EEA processing.
You may request a copy of the transfer mechanisms we rely on by contacting finowl@polsia.app.
12 Your Rights Under UK GDPR
You have the following rights in respect of your personal data:
Right of access
Request a copy of all personal data we hold about you.
Right to rectification
Request correction of inaccurate or incomplete data.
Right to erasure
Request deletion of your data (subject to legal retention obligations).
Right to portability
Receive your financial data in a machine-readable format (CSV, JSON).
Right to restriction
Request that we limit how we process your data in certain circumstances.
Right to object
Object to processing based on legitimate interests.
Rights re: automated decisions
Contest AI-generated categorisations and request human review.
Right to withdraw consent
Withdraw consent for optional processing (e.g., analytics cookies) at any time.
To exercise any of these rights, contact us at finowl@polsia.app with "Data Rights Request" in the subject line. We will respond within one calendar month as required by UK GDPR.
Note that the right to erasure cannot override our legal obligation to retain financial records for HMRC compliance (6 years). In such cases, we will explain what data we are legally required to retain and what we can delete.
13 Cookies
We use cookies and similar technologies on the FinOwl platform. A summary is included here; for full details, see our Cookie Policy.
We use:
- Strictly necessary cookies: For authentication and session management. These cannot be disabled.
- Analytics cookies: To understand usage and improve the platform. These are only set with your consent via our cookie banner.
You can manage your cookie preferences at any time via our cookie banner on the landing page.
14 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features we offer. When we make material changes, we will notify you by email at least 14 days before the changes take effect.
The "Last updated" date at the top of this page will always reflect the current version. We encourage you to review this policy periodically.
15 Contact & ICO
Contact us
For any questions about this Privacy Policy or to exercise your data rights:
- Email: finowl@polsia.app
- Subject line: "Privacy Enquiry" or "Data Rights Request"
- Response time: Within 5 business days for general enquiries; within one calendar month for formal data rights requests
Information Commissioner's Office (ICO)
If you are not satisfied with how we handle your data or your rights request, you have the right to lodge a complaint with the UK's supervisory authority:
- ICO Website: ico.org.uk
- ICO Helpline: 0303 123 1113
- ICO Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would appreciate the opportunity to resolve your concern directly before you contact the ICO, but this does not affect your statutory right to complain at any time.