Privacy Policy

This Privacy Policy ("Policy") is issued by Zody AI Ltd, a company incorporated in England and Wales ("Zody AI", "we", "us", "our"). Our registered office address is available upon written request to legal@zodyai.com.

Zody AI operates the Expenser application and associated services (collectively, the "Service"). We are the data controller in respect of personal data processed through the Service unless otherwise stated.

We are committed to processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and all other applicable data protection legislation.

If you have questions regarding this Policy or our data practices, contact us at: privacy@zodyai.com.

This Policy applies to all individuals who:

1. (a)access or use the Expenser application;
2. (b)register for an account;
3. (c)upload documents, data, or files to the Service;
4. (d)interact with our website or any associated API.

This Policy does not apply to third-party websites, applications, or services linked to or from the Service. We accept no responsibility for the privacy practices of such third parties.

If you use the Service on behalf of a business or organisation, you confirm that you are authorised to accept this Policy on behalf of that entity and that the entity accepts responsibility for ensuring that individuals whose personal data is submitted through the Service have been informed of and consent to such processing where required.

We collect the following categories of personal data:

1. (a)Identity and Account Data: full name, email address, username, password (hashed), business name, job title, and authentication credentials managed through our identity provider (Clerk).
2. (b)Financial and Transactional Data: data contained within receipts, invoices, bank statements, and other financial documents you upload, including but not limited to: merchant names, transaction amounts, dates, VAT numbers, item descriptions, and payment methods.
3. (c)Usage and Technical Data: IP address, browser type and version, device identifiers, operating system, session logs, clickstream data, feature usage statistics, and crash reports.
4. (d)Communication Data: any correspondence you send to us, including support requests and feedback.
5. (e)Payment Data: billing name, address, and payment method details processed by our payment processor (Stripe). We do not store full card details on our systems.
6. (f)AI-Processed Output Data: structured data extracted by our artificial intelligence and large language model (LLM) pipeline from your uploaded documents, including categorised transaction records and expense eligibility assessments.

We may also collect special category data if it is incidentally included within documents you upload (for example, medical receipts that may imply health information). You are advised not to upload documents containing special category data unless strictly necessary. Where such data is incidentally uploaded, it is processed solely for the purpose of document scanning and is not specifically analysed, flagged, or retained beyond the standard retention period.

We collect personal data through the following means:

1. (a)Directly from you when you register, upload documents, or communicate with us.
2. (b)Automatically through cookies, web beacons, server logs, and similar technologies when you interact with the Service.
3. (c)From third-party services integrated into the Service, including Clerk (authentication), Stripe (payments), and Railway (cloud infrastructure).

We process personal data on the following legal bases under UK GDPR Article 6:

1. (a)Performance of a Contract (Article 6(1)(b)): To provide the Service, including scanning and processing uploaded documents, extracting transaction data, storing records, generating expense eligibility assessments, and managing your account.
2. (b)Compliance with a Legal Obligation (Article 6(1)(c)): To comply with applicable laws including tax law, anti-money laundering obligations, and regulatory requirements.
3. (c)Legitimate Interests (Article 6(1)(f)): To improve the Service, ensure security and integrity of our systems, prevent fraud, and conduct internal analytics. We have conducted legitimate interests assessments and determined that our interests are not overridden by your rights and freedoms.
4. (d)Consent (Article 6(1)(a)): Where we use non-essential cookies or send direct marketing communications, we rely on your freely given, specific, informed, and unambiguous consent.

Where we process special category data incidentally present in uploaded documents, we rely on the explicit consent basis (Article 9(2)(a)) implied by your voluntary act of uploading such documents, together with the substantial public interest basis (Article 9(2)(g)) as applicable.

The Service uses artificial intelligence, including large language models and retrieval-augmented generation (RAG) systems, to extract data from your uploaded documents and to assess the likely VAT and income tax deductibility of your transactions with reference to HMRC published guidance.

You acknowledge and agree that:

1. (a)HMRC guidance, tax legislation, and applicable regulations change frequently and the Service may not reflect the most current position at any given time;
2. (b)the assessment of whether an expense is deductible for tax purposes depends on individual circumstances, the nature of your trade or business, and specific facts that the Service cannot fully evaluate;
3. (c)you must not submit any tax return, VAT return, or other filing to HMRC or any other authority based solely on outputs generated by the Service without first obtaining independent professional advice from a qualified accountant, tax adviser, or solicitor;
4. (d)Zody AI Ltd shall bear no liability whatsoever for any tax liability, penalty, surcharge, interest, fine, or other loss suffered by you as a result of reliance on Service outputs.

Where AI processing constitutes solely automated decision-making that produces legal or similarly significant effects, you have the right under UK GDPR Article 22 to request human review. To exercise this right, contact privacy@zodyai.com. You acknowledge that the primary outputs of the Service are advisory classifications, not binding decisions, and that all ultimate filing decisions rest with you.

We use third-party LLM infrastructure in the provision of the Service. Document content and extracted data may be transmitted to such infrastructure providers for processing. We maintain appropriate data processing agreements with all such providers. You consent to such processing by using the Service.

We do not sell your personal data to third parties.

We share personal data only in the following circumstances:

1. (a)Service Providers and Sub-processors: We engage third-party processors who act on our instructions, including cloud infrastructure providers (Railway), authentication services (Clerk), payment processors (Stripe), and AI/LLM infrastructure providers. A current list of sub-processors is available upon written request.
2. (b)Legal Compliance and Regulatory Disclosure: We may disclose personal data where required by law, court order, regulatory authority, or governmental body, including HMRC, the Information Commissioner's Office (ICO), the Financial Conduct Authority (FCA), or law enforcement agencies. We are not required to notify you of such disclosures where prohibited by law.
3. (c)Business Transfers: In the event of a merger, acquisition, restructuring, sale of assets, or insolvency proceedings, personal data may be transferred to the acquiring or successor entity, subject to equivalent data protection obligations.
4. (d)Professional Advisers: We may share data with our legal, financial, and insurance advisers under duties of confidentiality.
5. (e)With Your Consent: We may share data in other circumstances with your explicit consent.

Where we transfer personal data outside of the United Kingdom, we ensure that appropriate safeguards are in place in accordance with UK GDPR Chapter V, including by way of the UK International Data Transfer Agreement (IDTA) or adequacy decisions.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting obligations.

Specific retention periods:

1. (a)Account and identity data: retained for the duration of your account plus 7 years following account closure, in accordance with HMRC record-keeping requirements and applicable limitation periods.
2. (b)Financial and transactional data extracted from uploaded documents: retained for 7 years from the date of extraction, consistent with standard UK tax record-keeping obligations.
3. (c)Original uploaded documents: retained for 90 days following upload, after which they are deleted from our systems unless you have specifically instructed us to retain them.
4. (d)Usage and technical data: retained for 24 months.
5. (e)Communication data: retained for 3 years.

Notwithstanding the above, we may retain data for longer periods where required by applicable law, ongoing legal proceedings, or a legitimate dispute.

Under UK GDPR, you have the following rights in relation to your personal data:

1. (a)Right of Access: to obtain a copy of your personal data and information about how it is processed.
2. (b)Right to Rectification: to have inaccurate or incomplete personal data corrected.
3. (c)Right to Erasure: to request deletion of your personal data in certain circumstances.
4. (d)Right to Restriction of Processing: to request that processing is restricted in certain circumstances.
5. (e)Right to Data Portability: to receive your personal data in a structured, commonly used, machine-readable format.
6. (f)Right to Object: to object to processing based on legitimate interests or for direct marketing purposes.
7. (g)Rights in relation to Automated Decision-Making: as set out in Section 6 above.
8. (h)Right to Withdraw Consent: where processing is based on consent, to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of the above rights, submit a written request to privacy@zodyai.com. We will respond within one calendar month. We may request proof of identity before processing your request.

We reserve the right to refuse requests that are manifestly unfounded, excessive, or repetitive, or where an exemption under Schedule 2 of the Data Protection Act 2018 applies, including in relation to the prevention or detection of crime, legal proceedings, or tax purposes.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time: www.ico.org.uk / 0303 123 1113. We would, however, appreciate the opportunity to address your concerns before you approach the ICO.

The Service uses cookies and similar tracking technologies. By continuing to use the Service after being presented with our cookie banner, you consent to the use of non-essential cookies as described therein.

You may withdraw cookie consent or manage preferences at any time via the cookie settings tool available on the Service.

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

These measures include, but are not limited to: encryption of data in transit and at rest, access controls and authentication requirements, security monitoring, and regular security assessments.

You acknowledge that no method of electronic transmission or storage is completely secure. While we take the protection of your data seriously, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for all activities conducted under your account.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with UK GDPR Article 34.

The Service is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately at privacy@zodyai.com and we will take steps to delete such data.

The Service may contain links to, or integrate with, third-party websites and services. This Policy does not apply to such third parties. We recommend reviewing the privacy policies of any third-party services you access via the Service. We accept no responsibility or liability for the privacy practices of third parties.

We reserve the right to update or amend this Policy at any time. Where changes are material, we will notify you by email or prominent notice on the Service prior to the change taking effect.

The date at the top of this Policy indicates when it was last revised. Continued use of the Service following notification of changes constitutes acceptance of the revised Policy.

It is your responsibility to review this Policy periodically.

This Policy and any disputes arising in connection with it shall be governed by and construed in accordance with the laws of England and Wales.

The courts of England and Wales shall have exclusive jurisdiction over any disputes arising in connection with this Policy.