Privacy Policy

This Privacy Policy explains how Vpayit Ltd collects, uses, and protects your personal data. It complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). Written in plain English — no unnecessary jargon.

1. Who we are

Vpayit Ltd is the data controller for personal data collected through vpayit.co.uk and app.vpayit.co.uk. UK GDPR Art. 4(7)

Registered in England and Wales under the Companies Act 2006
Registered address: London, United Kingdom
ICO registered as a data controller under the Data Protection Act 2018
Email: [email protected]

2. Data we collect

We collect the minimum data necessary to provide the service. UK GDPR Art. 5(1)(c)

Identity data: name, business name, business type, postcode — collected on registration
Contact data: email address
Financial data: read-only bank transaction data via Open Banking (TrueLayer, FCA-authorised). We never see your bank login credentials.
Technical data: IP address, browser type, device, usage data — collected automatically
Communications: messages sent via contact form or email
Payment data: subscription status via Stripe. Card numbers are never stored by Vpayit — Stripe is the data controller for payment card data (PCI DSS Level 1 certified).

3. Lawful basis for processing

We only process your data where we have a lawful basis. UK GDPR Art. 6

Contract (Art. 6(1)(b)): processing necessary to deliver the Vpayit service
Legitimate interests (Art. 6(1)(f)): product improvement, fraud prevention, security, service updates — we have conducted Legitimate Interests Assessments (LIAs) for each use
Consent (Art. 6(1)(a)): marketing emails and non-essential cookies — withdrawable at any time
Legal obligation (Art. 6(1)(c)): financial record-keeping under the Companies Act 2006 and HMRC requirements

4. How we use your data

We use your data to: UK GDPR Art. 5(1)(b) — Purpose Limitation

Create and manage your Vpayit account
Detect and categorise recurring business bills via Open Banking
Surface savings opportunities by comparing your bills to the market
Send transactional emails — bill reminders, account and security notifications
Send marketing emails where you have consented (unsubscribe link in every email)
Process subscription payments via Stripe
Respond to support requests and enquiries
Meet our legal and regulatory obligations
Detect and prevent fraud and unauthorised access

We do not sell your data. We do not use your data for advertising. We do not share your financial data with suppliers without your explicit consent.

5. Third-party processors

We share data only where necessary, under Data Processing Agreements (DPAs) as required by UK GDPR. UK GDPR Art. 28

TrueLayer — FCA-authorised Open Banking provider (AISP, FRN 793171). DPA in place.
Stripe — PCI DSS Level 1 payment processor. Data controller for card data.
Supabase — database and authentication, AWS EU Frankfurt. DPA in place.
Resend — transactional email. DPA in place.
Railway — API hosting, GCP EU Belgium. DPA in place.

We may disclose data to authorities where required by law including under the Investigatory Powers Act 2016 or a valid court order.

6. International transfers

Where data is processed outside the UK, we ensure appropriate safeguards are in place including Standard Contractual Clauses (SCCs) approved by the ICO or adequacy decisions. UK GDPR Art. 46

7. Retention periods

We keep data only as long as necessary. UK GDPR Art. 5(1)(e)

Account data: duration of account + 30 days after closure
Transaction data: 13 months, then automatically deleted
Financial records: 7 years as required by Companies Act 2006 and HMRC
Support communications: 3 years
Marketing consent records: duration of consent + 3 years as evidence under PECR

8. Your rights

Under UK GDPR you have the following rights. UK GDPR Arts. 15–22

Access (Art. 15): request a copy of your personal data
Rectification (Art. 16): correct inaccurate data
Erasure (Art. 17): request deletion where applicable
Restriction (Art. 18): limit how we use your data
Portability (Art. 20): receive your data in a machine-readable format
Objection (Art. 21): object to processing based on legitimate interests or for direct marketing
Withdraw consent: at any time where consent is the basis for processing

Email [email protected] to exercise any right. We will respond within one calendar month at no charge, unless a request is manifestly unfounded or excessive. UK GDPR Art. 12

9. Cookies and electronic communications

We use cookies in accordance with PECR Regulation 6 and UK GDPR. We obtain consent before setting non-essential cookies. Marketing emails are sent only with your prior consent under PECR Regulation 22. See our Cookie Policy for full details.

10. Security and breach notification

We apply appropriate technical and organisational measures to protect your data including 256-bit TLS encryption, AES-256 encryption at rest, row-level database security, and rate limiting. UK GDPR Art. 32

In the event of a data breach, we will notify the ICO within 72 hours and affected individuals without undue delay where required. UK GDPR Arts. 33–34 See our Security page for full details.

11. Changes to this policy

We will notify you by email of any material changes at least 14 days before they take effect. The date at the top of this page always reflects the most recent version.

Questions or complaints?

You have the right to complain to the ICO: ico.org.uk/make-a-complaint or call 0303 123 1113.