1. Who We Are

Clarity & Co is a UK-based financial management platform operated by Bruno Azenha Tonheta (“we”, “us”, “our”). We are the data controller for the personal data processed through clarityco.co.uk.

Contact: privacy@clarityco.co.uk

2. Data We Collect

We collect the following categories of personal data:

Account Information — Name, email address, password (hashed), language preference.
Financial Data — Bank statements, transaction descriptions, amounts, categories, invoices, bills, receipts.
Business Data — Company names, registration numbers, UTR, VAT numbers, registered addresses, officer details (from Companies House public records).
Identity Verification — If you use our identity verification service (Yoti), biometric data and identity documents are processed by Yoti Ltd as an independent data processor.
Uploaded Documents — Scanned letters, receipts, invoices, and other documents you upload for AI processing.
Vault Data — Passwords, API keys, and credentials you store are encrypted with AES-256-GCM. We cannot read vault contents.
Open Banking Data — If you connect your bank account via TrueLayer, we receive transaction data, balances, and account details under your explicit consent.
HMRC Data — If you connect to HMRC via Government Gateway OAuth, we receive Self Assessment data (obligations, balances, transactions), VAT data (obligations, returns, liabilities, payments), employment data, state benefits, capital gains, and tax calculations. This data is accessed only with your explicit authorisation and stored securely on UK servers.
HMRC Fraud Prevention Data — When accessing HMRC APIs, we are legally required to collect and transmit device fingerprint data including: your public IP address, device identifier, browser user agent, screen resolution, window size, browser plugins, timezone, local network IP addresses, and Do Not Track preference. This data is sent directly to HMRC as part of their mandatory fraud prevention headers and is not used by us for any other purpose.
Usage Data — Pages visited, features used, browser type, IP address, device information.

3. How We Use Your Data

Provide the Service — Process bank statements, generate reports, track bills, manage invoices, categorise transactions.
AI Processing — We use AI (Google Gemini) to categorise transactions, extract data from scanned documents, and provide financial insights. Your data is sent to Google's API for processing but is not used to train their models.
Tax Compliance — Generate HMRC-compliant reports (SA103, CT600), map categories to tax boxes, and submit returns via HMRC Making Tax Digital (MTD) APIs.
HMRC MTD Integration — When you authorise a connection to HMRC, we use their official APIs to retrieve your tax data, file VAT returns, and manage Self Assessment obligations. We transmit mandatory fraud prevention headers with every API call as required by HMRC law. Your HMRC data is processed solely to provide the service and is never shared with third parties beyond HMRC itself.
Government API Integration — Look up company information via Companies House API and submit filings.
Security — Detect and prevent fraud, unauthorised access, and abuse.
Communications — Send account notifications, bill reminders, and service updates.

4. Legal Basis for Processing

Contract — Processing necessary to provide the Clarity & Co service you signed up for.
Consent — Open Banking connections, identity verification, and optional AI features.
Legitimate Interest — Service improvement, security monitoring, and fraud prevention.
Legal Obligation — Where required by UK law or HMRC regulations.

5. Data Sharing

We share your data only with:

Google (Gemini AI) — Transaction descriptions and document images for AI categorisation. Data is processed under Google's API terms and not used for model training.
TrueLayer — Open Banking provider, FCA-regulated. Only when you explicitly connect your bank.
Yoti Ltd — Identity verification provider. Only when you initiate an ID check.
HMRC — Tax data retrieval, Self Assessment management, VAT return submissions, and state benefits data. Only when you explicitly authorise via Government Gateway OAuth. We also transmit device fingerprint data to HMRC as part of their mandatory fraud prevention requirements (see Section 2).
Companies House — Company filings, only when you explicitly authorise via OAuth.
Hosting Provider — Our servers are hosted on Hostinger (Manchester, UK data centre).

We never sell your personal data to third parties. We do not share your data with advertisers.

6. Data Storage & Security

All data is stored on UK-based servers (Manchester).
Data in transit is encrypted with TLS 1.3.
Vault entries are encrypted with AES-256-GCM — we cannot decrypt your stored passwords.
Passwords are hashed with bcrypt (cost factor 12).
Database access is restricted to application-level only with strong credentials.
Regular automated backups with encryption at rest.

7. Data Retention

Account data — Retained while your account is active. Deleted within 30 days of account closure.
Financial data — Retained while your account is active. You may delete individual records at any time.
Uploaded documents — Retained until you delete them. Automatically deleted 30 days after account closure.
Vault data — Deleted immediately upon account closure.
Usage logs — Retained for 12 months for security and analytics purposes.

8. Your Rights (UK GDPR)

Under UK data protection law, you have the right to:

Access — Request a copy of all personal data we hold about you.
Rectification — Correct any inaccurate data.
Erasure — Request deletion of your data (“right to be forgotten”).
Portability — Receive your data in a machine-readable format.
Restriction — Request we limit how we process your data.
Objection — Object to processing based on legitimate interest.
Withdraw Consent — Withdraw consent for Open Banking or identity verification at any time.

To exercise any of these rights, email privacy@clarityco.co.uk. We will respond within 30 days.

9. Cookies

We use essential cookies for authentication and session management. For full details, see our Cookie Policy.

10. Children

Clarity & Co is not intended for use by anyone under 18 years of age. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notification. The “Last updated” date at the top reflects the most recent revision.

12. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint