Legal
Privacy Policy
Introduction
Appslab Ltd, trading as Finovo (“Finovo”, “we”, “us” or “our”) is committed to protecting and respecting your privacy. This Privacy Policy sets out how we collect, use, store and disclose your personal data when you use our website at getfinovo.com and our finance software platform (the “Services”).
We process personal data as a controller. Our registered address is in England and Wales. If you have any questions about this policy or our data practices, contact us at privacy@getfinovo.com.
Data we collect
We collect the following categories of personal data:
Account data
name, email address, password (hashed), company name, VAT number, country.
Financial data
invoices, bills, bank transactions, payroll records and tax returns you create or import into the platform.
Payment data
billing address, card brand and last four digits. Full card numbers are processed by our payment provider (Stripe) and never stored by us.
Usage data
pages visited, features used, browser type, IP address, device identifiers, and crash reports.
Communications
emails or support tickets you send to us.
Banking connection data
read-only access tokens issued by your bank via open banking. We never receive or store your banking credentials.
Legal basis for processing
We rely on the following legal bases under the UK GDPR / GDPR:
Contract
to provide and maintain the Services you have subscribed to.
Legitimate interests
to improve our Services, prevent fraud, and communicate service-related updates.
Legal obligation
to comply with applicable financial, tax and employment laws.
Consent
for marketing emails (you may withdraw consent at any time).
How we use your data
- To create and maintain your account.
- To provide accounting, invoicing, payroll and tax features.
- To process your payments and prevent fraud.
- To send transactional emails (invoices, payment confirmations, security alerts).
- To send product update and marketing emails (with your consent).
- To analyse usage patterns and improve the product.
- To comply with legal and regulatory obligations.
Data sharing
We share personal data only with:
Sub-processors
cloud infrastructure (AWS / Supabase), payment processing (Stripe), authentication (Clerk), email delivery (Resend), error monitoring (Sentry) and analytics (Plausible). All sub-processors are contractually bound to the same level of data protection.
Open banking providers
when you connect a bank account, data is exchanged with your bank’s open banking API under PSD2.
Tax authorities
when you use our integrated filing features, data is transmitted directly to HMRC, DGFiP or ELSTER on your behalf.
Legal
where required by law, regulation or court order.
We do not sell your personal data to third parties.
International transfers
Our infrastructure is hosted in EU data centres. Some sub-processors (e.g. Stripe, Clerk) may process data in the United States. Where such transfers occur, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA).
Retention
We retain your account data for as long as your account is active and for up to 7 years after account closure, in order to comply with financial record-keeping obligations. Usage data is retained for 13 months. You can request deletion of your account and personal data at any time (subject to legal retention obligations).
7 years
Account data retention
13 months
Usage data retention
Your rights
Under UK GDPR / GDPR, you have the right to:
Access
request a copy of the personal data we hold about you.
Rectification
correct inaccurate or incomplete data.
Erasure
request deletion of your data (“right to be forgotten”).
Restriction
ask us to pause processing of your data in certain circumstances.
Portability
receive your data in a structured, machine-readable format.
Objection
object to processing based on legitimate interests.
Withdraw consent
where we rely on consent (e.g. marketing), you may withdraw at any time without affecting prior processing.
To exercise any of these rights, email privacy@getfinovo.com. We will respond within 30 days. You also have the right to lodge a complaint with the ICO (UK) or your local supervisory authority.
Cookies and analytics
We use the following cookies and local storage values on getfinovo.com (the marketing website) and app.getfinovo.com (the application):
__clerk_*EssentialKeeps you signed in to the app.
gf_cookie_consentEssentialStores your cookie consent choice (localStorage).
va_* / _vercel_*AnalyticsVercel Analytics — counts page views and unique visitors. No cross-site tracking. No personal data sold.
Analytics cookies require your consent. When you first visit the marketing website, a banner will ask you to accept or decline non-essential cookies. Analytics will only load if you click “Accept all”.
Changing your choice: To withdraw consent or change your preference at any time, open your browser’s developer console and run:
localStorage.removeItem('gf_cookie_consent')— the consent banner will reappear on your next page load.
You can also block or delete cookies through your browser settings. Blocking essential cookies will prevent you from logging in to the application.
Security
We protect your data using TLS encryption in transit, AES-256 encryption at rest, regular penetration testing, and strict access controls. Staff access to production data is logged and subject to need-to-know restrictions. We operate a responsible disclosure programme — please email security@getfinovo.com to report vulnerabilities.
Children
Finovo is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us immediately.
Changes to this policy
We may update this policy from time to time. We’ll notify you by email and/or in-app notification for material changes, and update the “Last updated” date at the top. Continued use of the Services after the effective date constitutes acceptance of the revised policy.