Skip to main content
Finovo
🇬🇧

Legal

Privacy Policy

Last updated: 1 May 2026
1

Introduction

Appslab Ltd, trading as Finovo (“Finovo”, “we”, “us” or “our”) is committed to protecting and respecting your privacy. This Privacy Policy sets out how we collect, use, store and disclose your personal data when you use our website at getfinovo.com and our finance software platform (the “Services”).

We process personal data as a controller. Our registered address is in England and Wales. If you have any questions about this policy or our data practices, contact us at privacy@getfinovo.com.

2

Data we collect

We collect the following categories of personal data:

Account data

name, email address, password (hashed), company name, VAT number, country.

Financial data

invoices, bills, bank transactions, payroll records and tax returns you create or import into the platform.

Payment data

billing address, card brand and last four digits. Full card numbers are processed by our payment provider (Stripe) and never stored by us.

Usage data

pages visited, features used, browser type, IP address, device identifiers, and crash reports.

Communications

emails or support tickets you send to us.

Banking connection data

read-only access tokens issued by your bank via open banking. We never receive or store your banking credentials.

3

Legal basis for processing

We rely on the following legal bases under the UK GDPR / GDPR:

Contract

to provide and maintain the Services you have subscribed to.

Legitimate interests

to improve our Services, prevent fraud, and communicate service-related updates.

Legal obligation

to comply with applicable financial, tax and employment laws.

Consent

for marketing emails (you may withdraw consent at any time).

4

How we use your data

  • To create and maintain your account.
  • To provide accounting, invoicing, payroll and tax features.
  • To process your payments and prevent fraud.
  • To send transactional emails (invoices, payment confirmations, security alerts).
  • To send product update and marketing emails (with your consent).
  • To analyse usage patterns and improve the product.
  • To comply with legal and regulatory obligations.
5

Data sharing

We share personal data only with:

Sub-processors

cloud infrastructure (AWS / Supabase), payment processing (Stripe), authentication (Clerk), email delivery (Resend), error monitoring (Sentry) and analytics (Plausible). All sub-processors are contractually bound to the same level of data protection.

Open banking providers

when you connect a bank account, data is exchanged with your bank’s open banking API under PSD2.

Tax authorities

when you use our integrated filing features, data is transmitted directly to HMRC, DGFiP or ELSTER on your behalf.

Legal

where required by law, regulation or court order.

We do not sell your personal data to third parties.

6

International transfers

Our infrastructure is hosted in EU data centres. Some sub-processors (e.g. Stripe, Clerk) may process data in the United States. Where such transfers occur, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA).

7

Retention

We retain your account data for as long as your account is active and for up to 7 years after account closure, in order to comply with financial record-keeping obligations. Usage data is retained for 13 months. You can request deletion of your account and personal data at any time (subject to legal retention obligations).

7 years

Account data retention

13 months

Usage data retention

8

Your rights

Under UK GDPR / GDPR, you have the right to:

Access

request a copy of the personal data we hold about you.

Rectification

correct inaccurate or incomplete data.

Erasure

request deletion of your data (“right to be forgotten”).

Restriction

ask us to pause processing of your data in certain circumstances.

Portability

receive your data in a structured, machine-readable format.

Objection

object to processing based on legitimate interests.

Withdraw consent

where we rely on consent (e.g. marketing), you may withdraw at any time without affecting prior processing.

To exercise any of these rights, email privacy@getfinovo.com. We will respond within 30 days. You also have the right to lodge a complaint with the ICO (UK) or your local supervisory authority.

9

Cookies and analytics

We use the following cookies and local storage values on getfinovo.com (the marketing website) and app.getfinovo.com (the application):

__clerk_*Essential

Keeps you signed in to the app.

Session / 7 days
gf_cookie_consentEssential

Stores your cookie consent choice (localStorage).

Persistent
va_* / _vercel_*Analytics

Vercel Analytics — counts page views and unique visitors. No cross-site tracking. No personal data sold.

365 days

Analytics cookies require your consent. When you first visit the marketing website, a banner will ask you to accept or decline non-essential cookies. Analytics will only load if you click “Accept all”.

Changing your choice: To withdraw consent or change your preference at any time, open your browser’s developer console and run:

Browser console
localStorage.removeItem('gf_cookie_consent')

— the consent banner will reappear on your next page load.

You can also block or delete cookies through your browser settings. Blocking essential cookies will prevent you from logging in to the application.

10

Security

TLS in transitAES-256 at restPenetration testingAccess controlsAudit logs

We protect your data using TLS encryption in transit, AES-256 encryption at rest, regular penetration testing, and strict access controls. Staff access to production data is logged and subject to need-to-know restrictions. We operate a responsible disclosure programme — please email security@getfinovo.com to report vulnerabilities.

11

Children

Finovo is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us immediately.

12

Changes to this policy

We may update this policy from time to time. We’ll notify you by email and/or in-app notification for material changes, and update the “Last updated” date at the top. Continued use of the Services after the effective date constitutes acceptance of the revised policy.

Contact

Appslab LtdData Protection Enquiries