Security & Compliance

🛡️

GDPR Compliance

UK & EU Data Protection

FinOwl is fully compliant with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We process your personal and financial data only for the purposes you have explicitly authorised — providing bookkeeping, VAT, and financial reporting services for your business.

✓ Lawful basis: We process your data under the lawful bases of contractual necessity and your explicit consent. We never sell or share your data with third parties for marketing purposes.
✓ Data minimisation: We collect only the data required to deliver the service — transaction data, categorisation preferences, and VAT configuration. Nothing more.
✓ Data subject rights: You have the right to access, correct, export, or delete all data FinOwl holds about you and your business at any time. See the Data Retention section below for details.
✓ Data residency: Your financial data is stored and processed exclusively within UK infrastructure. We do not transfer personal data outside the UK without appropriate safeguards.
✓ Breach notification: In the event of a data breach affecting your personal data, we will notify you and the ICO within 72 hours in accordance with UK GDPR Article 33.

🔐

Encryption

In Transit & At Rest

All communication between your browser and FinOwl is encrypted using TLS 1.3 — the strongest version of the transport layer security protocol. There is no unencrypted fallback. Data cannot be read in transit, even on public networks.

🔒 HTTPS everywhere. All FinOwl pages and APIs are served exclusively over HTTPS. HTTP connections are automatically redirected. HSTS (HTTP Strict Transport Security) is enforced to prevent protocol downgrade attacks.

All financial data — including transaction records, categorisation history, VAT data, and account configurations — is encrypted at rest using AES-256 encryption on our database servers. Sensitive credentials such as Open Banking access tokens are encrypted with an additional application-layer key (AES-256-GCM) before being written to the database, meaning a database compromise alone would not expose your access credentials.

✓ TLS 1.3 for all data in transit between your device and FinOwl servers
✓ AES-256 encryption for all data stored in our database
✓ AES-256-GCM application-layer encryption for all OAuth tokens and access credentials
✓ HSTS headers enforced on all domains to prevent downgrade attacks

🏦

Open Banking Security

FCA-Regulated Access

FinOwl connects to your bank account via Open Banking — the UK regulatory framework overseen by the Financial Conduct Authority (FCA). We use regulated Open Banking providers to access your bank feed. We never ask for, store, or have access to your online banking password or PIN.

🏛️ Read-only access, always. Open Banking connections used by FinOwl are strictly read-only. FinOwl can view your transaction history and balances. It cannot initiate payments, move money, or make any changes to your account — by design, not just policy.

When you connect your bank, you are redirected to authenticate directly with your bank. Your bank credentials are entered on your bank's own secure website — FinOwl never sees them. Your bank then issues a time-limited, read-only access token to FinOwl via the Open Banking standard. This token can be revoked by you at any time through your bank's app.

✓ No stored bank credentials. We never hold your banking username, password, or PIN — not even temporarily.
✓ Read-only permissions. The OAuth scope granted covers transaction history and balances only. Payment initiation is not requested or permitted.
✓ FCA-regulated pipeline. Our Open Banking data providers operate under FCA authorisation as Account Information Service Providers (AISPs).
✓ Revocable at any time. You can disconnect your bank feed instantly from within FinOwl or via your bank's Open Banking consent management portal.
✓ Access tokens encrypted. All Open Banking tokens are encrypted with AES-256-GCM before storage. See Encryption section above.

📁

Data Retention & Your Right to Delete

UK GDPR Compliant

We retain your data only for as long as it is necessary to provide the service or meet our legal obligations. The table below summarises our retention periods by data category.

Data Type	Retention Period	Reason
Transaction records	6 years from the end of the relevant tax year	HMRC statutory requirement for business records
VAT returns & filings	6 years	HMRC VAT Notice 700/21 record-keeping obligations
Account & profile data	Duration of subscription + 30 days post-cancellation	Service delivery and grace period for re-activation
Open Banking tokens	Until revoked or subscription ends	Required for live bank feed connection
Audit logs	6 years	Fraud prevention and dispute resolution
Support correspondence	3 years	Service continuity and dispute resolution

⚠️ HMRC obligation note: UK law requires businesses to retain financial records for a minimum of 6 years. Even if you request account deletion, we are legally required to retain transaction and VAT data for this period. We will delete all other personal data (profile, preferences, bank tokens) immediately upon request.

To exercise your right to deletion or data access, email finowl@polsia.app with the subject line "Data Request". We will respond within 30 days in accordance with UK GDPR Article 12.

🏛️

HMRC & Making Tax Digital Compliance

MTD Ready

FinOwl is purpose-built for UK tax compliance. Our categorisation engine, VAT calculations, and reporting are designed specifically to meet HMRC's Making Tax Digital (MTD) requirements — the UK government's mandated shift to digital tax record-keeping and submission.

✓ MTD for VAT compatible. FinOwl produces VAT returns in the format required by HMRC's MTD APIs. Quarterly filings are prepared continuously so there are no last-minute surprises.
✓ Correct UK VAT rates applied. All 15 HMRC business expense categories are mapped to the correct VAT rate: 20% standard, 0% zero-rated, or VAT-exempt — as defined in VAT Notice 700.
✓ UK-specific categorisation. Transaction categories follow HMRC's allowable expense definitions for Sole Traders (SA103) and Limited Companies (CT600), not generic international accounting standards.
✓ Immutable audit trail. Every categorisation, correction, and user action is logged to an append-only audit log. This provides the complete, tamper-resistant record HMRC requires for compliance reviews.
✓ Digital record-keeping. All transaction data is maintained in a structured digital format meeting the MTD record-keeping functional compatibility standard.

📋 MTD for Income Tax (2026+). FinOwl is being built ahead of the MTD for Income Tax Self Assessment rollout, which becomes mandatory for sole traders and landlords with income over £50,000 from April 2026. FinOwl will support quarterly updates and annual declarations as required.

⚙️

Infrastructure & Operational Security

Hardened Platform

FinOwl is hosted on enterprise-grade cloud infrastructure. We follow a defence-in-depth approach — multiple independent security layers so no single failure exposes your data.

✓ UK infrastructure. All servers, databases, and data processing occur within UK data centres. Your data does not leave UK jurisdiction.
✓ Isolated database. Your financial data is stored in a dedicated PostgreSQL database with network-level isolation. It is not co-mingled with other customer data in shared tables.
✓ Parameterised queries. Every database interaction uses parameterised SQL statements, eliminating the risk of SQL injection attacks.
✓ JWT authentication. Session tokens are short-lived JSON Web Tokens signed with a server-side secret. Tokens expire after 7 days and cannot be forged.
✓ Continuous backups. The database is backed up continuously with point-in-time recovery capability. Data is never at risk from hardware failure.
✓ Dependency monitoring. Third-party packages are regularly audited for known vulnerabilities. Security patches are applied promptly.