C
Get Clarity

Privacy Policy

How Notabyte Limited handles personal data when you use Get Clarity.

Version 1.0Effective from

At a glance

  • Who we are. Notabyte Limited (Companies House 12567215), trading as Get Clarity, registered office Flat 15, Gaysley House, London SE11 6TS. ICO registration ZC108811 / C1894369.
  • What we collect. Account information, the financial data you import or enter (invoices, expenses, transactions), authentication tokens, usage data, and AI conversation history if you use AI features.
  • Why we collect it. To provide the Get Clarity service to you, to bill you for it, to comply with HMRC and Companies Act obligations, and — only with your separate consent — to send you marketing emails.
  • Who we share it with. Sub-processors that operate parts of the service for us (hosting, email, AI, Open Banking, payments). Statutory recipients (HMRC, Companies House) where required by law. Never to advertisers or data brokers.
  • Your rights. Access, correction, deletion, portability, restriction, objection, and the right to lodge a complaint with the ICO. We respond to data subject requests within one calendar month.

1. Who we are and how to contact us

Notabyte Limited is the data controller for personal data you provide when you use Get Clarity. You can contact us at:

  • Email: privacy@clarityuk.app
  • Post: Notabyte Limited, Flat 15, Gaysley House, London SE11 6TS, United Kingdom
  • Phone: Available on request via email

We are registered with the Information Commissioner's Office (ICO). Our registration number is ZC108811 / C1894369.

2. What this policy covers

This Privacy Policy applies when you:

  • Sign up for, or use, Get Clarity at clarityuk.app.
  • Visit our marketing website.
  • Sign up for our waitlist.
  • Contact us by email or via in-app support.

It does not apply to third-party websites you reach via links from our service. When we share data with sub-processors, we list each one in our Sub-processor List.

3. What personal data we process and why

We process the categories of personal data set out below. For each category we set out the purpose, the lawful basis under UK GDPR, and how long we keep it.

| Category | Examples | Purpose | Lawful basis | Retention | |----------|----------|---------|--------------|-----------| | Identity & contact | Name, email, phone, business address | Provide the service, billing, support | Contract | Account life + 30 days, then deleted. Billing records: 6 years (HMRC). | | Authentication | Hashed password, OAuth tokens, sessions | Sign you in, keep you signed in | Contract | Until you sign out or revoke. Sessions auto-expire 30 days. | | Customer content | Invoices, expenses, contacts, transactions, receipts | Provide the service | Contract | Account life + 30 days, then deleted. | | Bank data via Open Banking | Transactions imported from your connected bank | Automate bookkeeping | Contract; Open Banking consent | While bank connected, plus 6 years for tax records. | | Tax data | VAT numbers, period totals, HMRC submission references | MTD VAT submissions | Legal obligation (HMRC) | 6 years from end of relevant tax year. | | AI conversation history | Your messages to Ask AI / Copilot, AI responses | Provide AI features, support continuity | Contract | 90 days, or until you delete. Hard-deleted 30 days after delete request. | | Receipt images | Receipts uploaded or imported via Gmail | OCR for expense capture | Contract | Until you delete the expense, or 6 years (tax retention). | | Usage & analytics | Page views, feature events, error reports, IP, user-agent | Improve service, debug, security | Legitimate interests | 12 months. | | Marketing | Email open/click events (only if you've subscribed) | Send relevant updates | Consent | Until you unsubscribe + 30 days reconciliation. | | Cookies | Session cookie, preferences | Run the service | Strictly necessary; consent for non-essential | Per cookie expiry. |

We do not process special category data (e.g. health, religion, political views) intentionally. Receipts and transactions you import may incidentally contain such information; you control whether to include or remove it.

4. Where we get your data

Most personal data comes from you directly: when you sign up, complete onboarding, send invoices, or upload receipts.

Some data comes from third parties you authorise:

  • Your bank, via TrueLayer (FCA-authorised Open Banking provider), when you connect a bank account.
  • HMRC, when you make MTD VAT submissions and HMRC returns receipt confirmations.
  • Stripe, when you subscribe to a paid plan.
  • Apple or Google, when you use Sign in with Apple or Sign in with Google.
  • Your email provider, via Gmail OAuth, when you enable Gmail Autopilot — and only the messages that match our invoice-detection criteria.

5. How we use AI features

When you use Ask AI, Copilot, or AI-assisted categorisation, we send the relevant context (your question, related transactions, etc.) to Anthropic PBC, our AI sub-processor. Anthropic processes the request, returns the AI response, and (under our contract) does not train its models on your data.

You can disable AI features from your workspace settings. You can delete your AI conversation history at any time from Settings → AI Conversations. Deletion is reversible for 30 days; after that, the data is permanently removed.

AI output is informational only — not financial or tax advice. Always confirm AI suggestions against your own records before acting.

6. Sub-processors

We use a small number of carefully selected sub-processors to operate Get Clarity. Each one handles a specific function (hosting, email, AI, Open Banking, etc.) and is bound by a written data-processing agreement.

The current list, including processing location and what each one does, is at: clarityuk.app/legal/sub-processors.

When we add a new sub-processor that processes your personal data, we update the list and — where the change is material — notify you in advance.

7. International transfers

Some of our sub-processors are based outside the United Kingdom. Where this involves a transfer of your personal data, we rely on:

  • Adequacy regulations (e.g. for transfers to the EEA), or
  • The UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses, with each affected sub-processor.

We do not transfer your data to any country without an adequate safeguard.

8. How we keep your data secure

We apply technical and organisational measures appropriate to the risk:

  • TLS 1.2+ enforced on all connections; HSTS enabled.
  • AES-256 encryption at rest for the database and object storage.
  • OAuth and Open Banking tokens encrypted at the application layer.
  • Passwords hashed with bcrypt (cost ≥ 12).
  • Multi-factor authentication on all administrative accounts.
  • Row-Level Security at the database layer.
  • Quarterly access reviews.
  • Annual vulnerability scan.
  • Dependency security scanning with rapid patching for high-severity issues.

Despite our measures, no system is 100% secure. We have an Incident Response Plan that requires us to notify the ICO within 72 hours of becoming aware of a personal data breach that puts your rights at risk, and to notify you directly if the breach is likely to result in high risk to you.

9. Your rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

  • Access. Get a copy of the personal data we hold about you.
  • Rectification. Have inaccurate data corrected.
  • Erasure. Have your data deleted ("right to be forgotten").
  • Portability. Receive your data in a machine-readable format and have it transferred to another controller.
  • Restriction. Have processing restricted in specific circumstances.
  • Objection. Object to processing based on legitimate interests, or to direct marketing.
  • Withdraw consent. Where we rely on consent, you can withdraw it at any time.
  • Complain to the ICO. ico.org.uk/concerns or 0303 123 1113.

To exercise any right except complaining to the ICO, email us at privacy@clarityuk.app. We will respond within one calendar month. We may extend this by up to two further months for complex requests; if we do, we will tell you why.

Most rights can also be exercised in-product:

  • Access & portability: Settings → Export
  • Rectification: Settings → Profile, or by editing your records directly
  • Erasure: Settings → Close Account
  • AI conversation deletion: Settings → AI Conversations

10. Cookies

We use cookies that are strictly necessary for the service to function (e.g. authentication, CSRF protection). These do not require consent.

For non-essential cookies (analytics, preferences) we ask for your consent on first visit. You can change your cookie preferences at any time from the footer of any page.

The full cookie list:

| Cookie | Type | Purpose | Expires | |--------|------|---------|---------| | sb-access-token | Strictly necessary | Authentication | Session | | sb-refresh-token | Strictly necessary | Authentication | 30 days | | csrf | Strictly necessary | CSRF protection | Session | | cookie_pref | Strictly necessary | Stores your cookie choice | 1 year | | va_session | Analytics (consent) | Vercel Analytics — anonymous session ID | Session |

11. Data retention

In summary:

  • Customer content (invoices, expenses, transactions): kept while your account is active. 30 days after account closure, all customer content is deleted, except records we are required to retain by law.
  • Billing & MTD VAT records: retained for 6 years from the end of the relevant tax year (Companies Act 2006, MTD legislation).
  • AI conversation history: kept until you delete it, or 90 days from creation, whichever is sooner.
  • Backups: included in the above. Backups expire on a rolling basis (typically 7-day point-in-time recovery + 30-day weekly archive).
  • Logs: 12 months.

Detailed retention schedule is in our Data Retention Policy (available on request).

12. Children

Get Clarity is not intended for children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time. When we do, we will:

  • Update the Effective from date at the top.
  • For material changes, send a notice to your registered email at least 30 days before the change takes effect.
  • Keep prior versions on request from privacy@clarityuk.app.

If you continue to use Get Clarity after a change takes effect, you accept the updated policy. If you do not accept it, you may close your account.