🔒

Privacy Policy

Last updated: 13 June 2026

The short version: We store your financial data encrypted on our servers in the UK. We don't sell your data, we don't show you ads, and we don't train AI models on your data. The only third parties who ever see your data are the services listed below, each chosen carefully for a specific function.

1. Who we are 2. What we collect 3. How we use it 4. AI providers 5. Auth & payments 6. Retention 7. Your rights 8. Security 9. Cookies 10. Changes

👤 1. Who we are

SoleDirector is a UK-based product currently operated by its founder. Formal company registration is in progress. For any questions about this policy or your data, contact us at [email protected].

📋 2. What data we collect

Account data: your name and email, collected via Clerk (our authentication provider). We never see your password.
Company & financial data: company name, director details, tax year settings, and transactions you enter manually.
Receipt images: files you upload for OCR scanning. Stored encrypted on our server. Not shared beyond what is described in section 4.
Chat messages: messages you send to the AI assistant and the responses generated. Stored in your encrypted account database.
Usage logs: IP address, timestamp, and HTTP status code. Retained for 30 days for security purposes, then deleted.

⚙️ 3. How we use your data

To provide the SoleDirector service and generate AI-assisted financial guidance.
To process your subscription via Stripe.
To authenticate your account via Clerk.
To improve the product (aggregate, anonymised analysis only, never individual data).
To comply with our legal obligations.

We do not sell your data. We do not use your data for advertising.

🤖 4. AI providers

SoleDirector routes different tasks to different AI providers. Here is exactly what each one receives:

Anthropic (Claude) receives your data
Your chat messages and relevant financial context are sent to Claude to generate responses. Privacy policy ↗
Google (Gemini) receives your data
Receipt images you upload are sent to Gemini for OCR extraction (vendor, amount, date). Privacy policy ↗
Perplexity AI no personal data
Used for web searches on HMRC rules and UK tax guidance. Before any query is sent, your message is automatically rewritten by Claude to remove all personal details. Perplexity only ever sees a generic tax question. Privacy policy ↗

We have Data Processing Agreements in place with Anthropic and Google. Under these agreements, your data is used solely to generate a response and is not used to train their models.

🔐 5. Authentication & payments

Clerk: handles sign-up, login, and session management. Your password is never stored by SoleDirector. Clerk privacy policy ↗
Stripe: processes subscription payments. We do not store your card details. Stripe privacy policy ↗

🗓️ 6. Data retention

Your account and financial data is retained for as long as your account is active.
If you delete your account, all data (transactions, receipts, chat history, settings) is permanently deleted within 30 days.
Server access logs are deleted after 30 days.
Stripe retains billing records as required by financial regulations.

⚖️ 7. Your rights under UK GDPR

Access: request a copy of your personal data.
Rectification: correct inaccurate data.
Erasure: delete your account and all data via Settings > Delete Account.
Portability: export your financial data as CSV via the Export section.
Object: object to processing of your personal data.

Deletion and export are self-serve. For all other requests, email [email protected]. We aim to respond within a few hours. For formal data rights requests we are legally required to respond within 30 days, but in practice we will be much faster.

You may also lodge a complaint with the Information Commissioner's Office (ICO) ↗

🛡️ 8. Security

Encryption in transit: all data between your browser and our servers is encrypted via HTTPS (TLS 1.2+).
Encryption at rest: all financial data is stored inside an AES-256 encrypted volume. The encryption key is stored on the server and never transmitted externally, protecting your data against physical disk theft or offline access to storage media.
Per-user isolation: each account has its own dedicated database. No user can access another user's data.
Encrypted backups: backups are encrypted independently before leaving our server and stored in a separate cloud region.
No routine access: no employee has routine access to your financial data.

🍪 9. Cookies

We use a single session cookie (__session) set by Clerk to keep you logged in. It is HttpOnly, Secure, and SameSite=Lax. We do not use tracking, analytics, or advertising cookies.

📢 10. Changes to this policy

If we make material changes to this policy, we will post a notice inside the app and update the date at the top of this page. Continued use of SoleDirector after changes take effect constitutes acceptance of the updated policy.