Privacy Policy

Appslab Ltd, trading as Finovo (“Finovo”, “we”, “us” or “our”) is committed to protecting and respecting your privacy. This Privacy Policy sets out how we collect, use, store and disclose your personal data when you use our website at getfinovo.com and our finance software platform (the “Services”).

We process personal data as a controller. Our registered address is in England and Wales. If you have any questions about this policy or our data practices, contact us at privacy@getfinovo.com.

We collect the following categories of personal data:

• Account data: name, email address, password (hashed), company name, VAT number, country.
• Financial data: invoices, bills, bank transactions, payroll records and tax returns you create or import into the platform.
• Payment data: billing address, card brand and last four digits. Full card numbers are processed by our payment provider (Stripe) and never stored by us.
• Usage data: pages visited, features used, browser type, IP address, device identifiers, and crash reports.
• Communications: emails or support tickets you send to us.
• Banking connection data: read-only access tokens issued by your bank via open banking. We never receive or store your banking credentials.

We rely on the following legal bases under the UK GDPR / GDPR:

• Contract: to provide and maintain the Services you have subscribed to.
• Legitimate interests: to improve our Services, prevent fraud, and communicate service-related updates.
• Legal obligation: to comply with applicable financial, tax and employment laws.
• Consent: for marketing emails (you may withdraw consent at any time).

• To create and maintain your account.
• To provide accounting, invoicing, payroll and tax features.
• To process your payments and prevent fraud.
• To send transactional emails (invoices, payment confirmations, security alerts).
• To send product update and marketing emails (with your consent).
• To analyse usage patterns and improve the product.
• To comply with legal and regulatory obligations.

We share personal data only with:

• Sub-processors: cloud infrastructure (AWS / Supabase), payment processing (Stripe), authentication (Clerk), email delivery (Resend), error monitoring (Sentry) and analytics (Plausible). All sub-processors are contractually bound to the same level of data protection.
• Open banking providers: when you connect a bank account, data is exchanged with your bank’s open banking API under PSD2.
• Tax authorities: when you use our integrated filing features, data is transmitted directly to HMRC, DGFiP or ELSTER on your behalf.
• Legal: where required by law, regulation or court order.

We do not sell your personal data to third parties.

Our infrastructure is hosted in EU data centres. Some sub-processors (e.g. Stripe, Clerk) may process data in the United States. Where such transfers occur, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA).

We retain your account data for as long as your account is active and for up to 7 years after account closure, in order to comply with financial record-keeping obligations. Usage data is retained for 13 months. You can request deletion of your account and personal data at any time (subject to legal retention obligations).

Under UK GDPR / GDPR, you have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion of your data (“right to be forgotten”).
• Restriction: ask us to pause processing of your data in certain circumstances.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where we rely on consent (e.g. marketing), you may withdraw at any time without affecting prior processing.

To exercise any of these rights, email privacy@getfinovo.com. We will respond within 30 days. You also have the right to lodge a complaint with the ICO (UK) or your local supervisory authority.

We use the following cookies and local storage values on getfinovo.com (the marketing website) and app.getfinovo.com (the application):

Analytics cookies require your consent. When you first visit the marketing website, a banner will ask you to accept or decline non-essential cookies. Analytics will only load if you click “Accept all”.

Changing your choice: To withdraw consent or change your preference at any time, open your browser’s developer console and run: localStorage.removeItem('gf_cookie_consent') — the consent banner will reappear on your next page load.

You can also block or delete cookies through your browser settings. Blocking essential cookies will prevent you from logging in to the application.

We protect your data using TLS encryption in transit, AES-256 encryption at rest, regular penetration testing, and strict access controls. Staff access to production data is logged and subject to need-to-know restrictions. We operate a responsible disclosure programme — please email security@getfinovo.com to report vulnerabilities.

Finovo is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us immediately.

We may update this policy from time to time. We’ll notify you by email and/or in-app notification for material changes, and update the “Last updated” date at the top. Continued use of the Services after the effective date constitutes acceptance of the revised policy.

Appslab Ltd
Data Protection Enquiries
privacy@getfinovo.com