Privacy Policy
Vecti Tech Ltd ("we", "us", "our") Last updated: 19 May 2026 Effective date: 17 April 2026
This policy reflects Vecti's current product scope for launch preparation, including accountant discovery and connected-accountant service flows where enabled.
1. Who we are
Vecti Tech Ltd is a company registered in England and Wales. We provide a mobile and web application ("Vecti") that helps self-employed people in the UK track income, expenses, mileage, and invoices, work with an accountant, and use HMRC filing features where those features are enabled in the service.
Data controller: Vecti Tech Ltd
Contact: privacy@vecti.co.uk
ICO registration: ZC127524 (registered 19 April 2026, expires 18 April 2027 — renew annually). Certificate: docs/legal/certificates/ico-data-protection-ZC127524.pdf.
2. What data we collect and why
2.1 Account data
| Data | Purpose | Legal basis |
|---|---|---|
| Name, email address | Create and manage your account | Contract performance |
| Password (hashed) | Authenticate your account | Contract performance |
| Apple or Google sign-in identity data you choose to share | Optional sign-in and account access | Contract performance |
| Phone number (optional) | Account recovery and account communication | Consent |
2.2 Financial and record-keeping data
| Data | Purpose | Legal basis |
|---|---|---|
| Income records | Tax calculations and record keeping | Contract performance |
| Expense records | Tax calculations, claim tracking, and record keeping | Contract performance |
| Mileage logs, route data, and trip start/end locations | Mileage tracking, trip history, and mileage calculations | Contract performance |
| Invoice data (clients, amounts, dates, statuses) | Invoicing and payment tracking | Contract performance |
| VAT records | VAT return calculations and VAT submissions where enabled | Contract performance |
| CIS deduction records | CIS tax calculations and record keeping | Contract performance |
| Receipt, statement, avatar, and attachment images you upload | Record keeping, client profiles, support for receipt/document workflows, and accountant collaboration | Contract performance |
| Bank transaction data (if connected later) | Categorisation and reconciliation | Consent |
2.3 HMRC data
| Data | Purpose | Legal basis |
|---|---|---|
| Unique Taxpayer Reference (UTR) | HMRC filing features and obligation lookup where enabled | Contract performance |
| National Insurance number | HMRC filing features and tax identity validation where enabled | Contract performance |
| VAT registration number | VAT obligations and VAT filing features where enabled | Contract performance |
| HMRC OAuth tokens (encrypted) | Retrieve obligations and support HMRC filing features on your behalf where enabled | Contract performance |
| MTD submission history | Record keeping, filing status, and support | Contract performance, legal obligation |
2.4 Accountant collaboration data
| Data | Purpose | Legal basis |
|---|---|---|
| Accountant connection records | Link you to your chosen accountant | Contract performance |
| Messages and shared records between you and your accountant | Facilitate collaboration and year-end handoff | Contract performance |
| Accountant service orders, prices, payment status, disputes, and service messages where enabled | Provide connected-accountant service flows and payment support | Contract performance |
| Public accountant profile and service listing data where marketplace discovery is enabled | Let users browse accountants and services offered through Vecti | Legitimate interest, contract performance |
| Reviews and ratings where enabled | Show marketplace trust signals, handle moderation, and support disputes | Legitimate interest |
| Accountant professional verification details, including professional body, membership number, PII provider, and PII expiry | Review accountant eligibility for offering paid services through Vecti where enabled | Legitimate interest, contract performance |
Accountant discovery and connected-accountant service flows may be available where enabled, including service listings, Stripe Connect payments, order status, refunds, disputes, reviews, and ratings. Public discovery does not expose private client records, private messages, HMRC tokens, or accountant verification documents.
2.5 Device and operational data
| Data | Purpose | Legal basis |
|---|---|---|
| Device type, OS version, and app version | App compatibility, troubleshooting, and support | Legitimate interest |
| IP address | Security, fraud prevention, and abuse prevention | Legitimate interest |
| Push notification tokens | Send deadline reminders and account notifications you opt into | Consent |
| Precise location while live trip tracking is active, including background location where you allow tracking to continue off-screen | GPS trip tracking and mileage logging | Contract performance |
| Trip location search queries, route-preview requests, and map rendering data | Search and preview trip routes before logging mileage | Contract performance |
| Vehicle trigger identifiers, such as Bluetooth device IDs or beacon IDs, and Android background location permission where vehicle auto-start is enabled | Recognise a vehicle you choose for opt-in mileage features | Consent (you opt in by pairing a vehicle or beacon and granting permissions) |
| Crash and error diagnostics where Sentry client monitoring is enabled in a released build | Diagnose crashes, broken screens, and failed support flows | Legitimate interest |
| Product interaction events in authenticated app surfaces where PostHog is enabled in a released build | Understand where users get blocked in core workflows and improve the service | Legitimate interest; contract performance where needed to support the authenticated service |
Current release state: released client builds do not initialise the PostHog product-analytics SDK or the Sentry crash-reporting SDK until the observability release gate is complete. Where enabled in a release, Sentry receives only masked crash/error diagnostics linked to Vecti's internal user id, release, route, surface, and device/app context; PostHog receives allowlisted product-interaction events from authenticated app surfaces linked to Vecti's internal user id. We do not send raw HMRC tokens, NINO, UTR, VAT numbers, bank details, client records, invoice amounts, receipt text, trip paths, or free-text form content to either service.
2.6 Marketing data
| Data | Purpose | Legal basis |
|---|---|---|
| Email marketing preferences | Send marketing emails | Consent |
| Referral data | Run a referral programme where enabled | Legitimate interest |
We never use pre-checked consent boxes. You actively choose what to opt into.
Service messages about your account, tax records, HMRC connection, submissions, security, subscription, accountant access, or important product changes are not treated as marketing. Marketing preferences apply to marketing messages.
3. Third-party processors
We share data with these processors where relevant to the current service:
| Processor | What they process | Where data is stored | Purpose |
|---|---|---|---|
| Supabase (supabase.com) | Account data and app data | EU (Frankfurt, Germany) | Database, authentication, backend |
| Stripe (stripe.com) | Web subscription billing data where web checkout is offered, and connected-accountant service payment data where accountant service flows are enabled | EU/EEA | Subscription billing and accountant service marketplace billing |
| RevenueCat (revenuecat.com) | Subscription status and purchase receipts | US (with EU SCCs) | In-app subscription management |
| Expo (expo.dev) | Push notification tokens | US (with EU SCCs) | Push notification delivery |
| HMRC (gov.uk) | Tax return data, UTR, NI number, VAT number | UK | HMRC filing features where enabled |
| Apple (apple.com) | Purchase receipts and optional Sign in with Apple identity data | US (EU adequacy) | App Store subscription verification and optional account sign-in |
| Google (google.com) | Purchase receipts and optional Google sign-in identity data | US (EU adequacy) | Play Store subscription verification and optional account sign-in |
| Resend (resend.com) | Invitation and transactional email delivery data | US (with EU SCCs) | Send accountant invites, connection invites, and transactional emails |
| Mapbox (mapbox.com) | Trip location search queries, route-preview data, and map rendering requests | US (with EU SCCs) | Geocoding, route preview, and map display for mileage logging |
| Sentry (sentry.io) | Masked crash and error diagnostics where client monitoring is enabled | EU region targeted for Vecti project; provider safeguards apply where data leaves UK/EU | Crash reporting, error triage, and release health |
| PostHog (posthog.com) | Allowlisted product-interaction events where analytics is enabled in authenticated app surfaces | EU Cloud (Frankfurt) targeted for Vecti project | Product analytics for onboarding, filing, support, and workflow improvement |
We do not sell your data. We do not share your data with advertisers.
Where you choose to connect or hire an accountant, that accountant may have their own professional data protection responsibilities for the work they do for you. Vecti controls the app platform and access controls, but an accountant may also act as an independent controller for their own professional services. This depends on the service and is reflected in the relevant accountant terms where those flows are enabled.
4. International data transfers
Your core data is stored in the EU (Frankfurt, Germany) via Supabase. Where data is transferred outside the UK/EU:
- US-based or globally operated processors (RevenueCat, Expo, Apple, Google, Resend, Mapbox, and any non-EU Sentry/PostHog subprocessor path): we rely on appropriate contractual safeguards or the provider's applicable transfer mechanisms.
- HMRC: data is transferred to UK government systems as required for tax compliance.
We only transfer data to countries with adequate protection or with appropriate safeguards in place.
5. Data retention
| Data type | Retention period | Reason |
|---|---|---|
| Account data | Until you delete your account, with limited audit or suppression records retained where needed | Service provision and rights handling |
| Self Assessment and MTD Income Tax records (income, expenses, mileage, CIS, property, invoices, receipts) | Normally up to 7 years from the end of the relevant tax year. HMRC rules require self-employed and MTD Income Tax records to be kept for at least 5 years after the 31 January submission deadline. Records may be kept longer for late returns, HMRC checks, disputes, legal claims, or other legal holds. | Tax record keeping |
| VAT records | Normally up to 7 years. HMRC generally requires VAT records to be kept for at least 6 years. Longer or different periods may apply if Vecti later supports VAT schemes with special retention rules. | VAT record keeping |
| Uploaded receipt/document images | Until you delete them or delete your account, subject to any legal retention requirement for related tax, VAT, accountant, payment, dispute, or audit records. Copies you save to a phone folder stay on your device and are not controlled or deleted by Vecti. | Record keeping |
| HMRC OAuth tokens | Until you disconnect HMRC or delete your account | Active connection required for submissions |
| HMRC submission evidence and MTD submission records | Retained with the relevant tax or VAT records, normally up to 7 years, and longer where required for HMRC checks, disputes, legal claims, or audit evidence | Legal record keeping and filing support |
| Rule/calculation snapshots used for submitted or archived tax years | Retained with the linked tax or submission record | Explain old tax years and submitted figures |
| Payment records | Up to 7 years, and longer where required for chargebacks, disputes, tax, fraud prevention, or legal claims | Financial regulations and subscription support |
| Accountant connection, permission, verification, listing, review, rating, dispute, and service-flow records | Up to 7 years, or shorter where no longer needed and no legal, tax, payment, audit, access, or dispute reason applies | Marketplace operation, fraud prevention, dispute handling, accounting records, and audit trail |
| Push notification tokens | Until you disable notifications, sign out from that device, or delete your account | Notification delivery |
| Marketing consent and suppression records | Duration of consent plus 3 years for consent evidence; minimal suppression records may be retained so we do not send marketing after you opt out | Prove consent and respect opt-outs |
| Sentry crash/error diagnostics where enabled | Target retention: 90 days for error events and 30 days for error replays unless a shorter provider setting is configured | Troubleshooting and release health |
| PostHog product analytics where enabled | Target retention: 90 days unless a shorter provider setting is configured | Product improvement and support triage |
| Support, privacy, export, deletion, and complaint requests | As long as needed to handle the request and keep a proportionate audit record | Legal obligation, rights handling, and dispute prevention |
| Backups | Until overwritten under our backup retention schedule. If deleted data is restored from backup, deletion/retention rules must be reapplied. | Resilience and recovery |
When you delete your account, we delete or deactivate your personal data from
active product use within 30 days subject to any lawful retention requirement.
The right to erasure is not absolute; we may retain limited records where needed
for tax, VAT, payment, accountant-service, dispute, security, legal, regulatory,
or audit reasons. See our Data Deletion Policy for details.
The public web deletion resource is also available at /data-deletion.
6. Your rights under UK GDPR
You have the right to:
| Right | What it means | How to exercise it |
|---|---|---|
| Access | Get a copy of your data | In-app export where available, or email privacy@vecti.co.uk |
| Rectification | Correct inaccurate data | Edit in the app, or email us |
| Erasure | Delete your account and data | In-app: Profile > Delete Account, or email us |
| Portability | Get your data in a machine-readable format | In-app export where available, or email us |
| Restriction | Limit how we use your data | Email privacy@vecti.co.uk |
| Objection | Object to processing based on legitimate interest | Email privacy@vecti.co.uk |
| Withdraw consent | Stop processing based on consent | In-app settings or email us |
We respond to rights requests within 30 days unless the law allows us more time for a complex request.
7. Cookies
Our website uses essential cookies for authentication and security. Public marketing pages do not use analytics cookies in the V1 observability scope. Where PostHog product analytics is enabled inside authenticated dashboard or accountant portal surfaces, it may set ph_* analytics cookies for product-improvement and support-triage purposes. See our Cookie Policy for details.
8. Children's data
Vecti is not intended for anyone under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.
9. Security
We protect your data with:
- Encryption in transit (TLS)
- Encryption at rest for server-stored data
- Additional secure storage or encrypted handling for selected sensitive credentials used by the app
- Row-level security on database tables where applicable
- Hashed passwords via Supabase Auth
- Access controls and authentication checks
- Regular operational reviews
No system is 100% secure. If we discover a reportable breach, we will notify affected users and the ICO where required by law.
10. Automated decision-making
Vecti performs automated tax calculations based on the data you enter. These calculations:
- follow published HMRC rules and configured tax rates
- are shown to you for review before submission
- can be corrected by you
- are not used to make legal decisions about you without your involvement
You review and approve before anything is submitted to HMRC.
11. Changes to this policy
We may update this policy from time to time. When we make significant changes, we will update the "Last updated" date and notify you in the app or by email where appropriate.
12. Complaints
If you are unhappy with how we handle your data:
- Contact us first at privacy@vecti.co.uk.
- You may also complain to the Information Commissioner's Office at ico.org.uk.
13. Contact us
For privacy questions or rights requests:
- Email: privacy@vecti.co.uk
- Post: Vecti Tech Ltd, Unit A, 82 James Carter Road, Mildenhall, IP28 7DE, United Kingdom