This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Eido platform at eidoapp.io ("the Platform"). We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
Eido Technologies Ltd is the data controller for personal data processed through the Platform.
Contact: admin@eidoapp.io
ICO Registration: [Pending — to be added when registered]
2. What Data We Collect
2.1 Account Data
- Name, email address, and role when you create an account or are invited
- Authentication data (managed by Supabase Auth — we do not store passwords directly)
2.2 Company Data
- Company name, address, registration details, VAT number
- Financial data: invoices, expenses, journal entries, bank transactions, budgets, forecasts
- Client and supplier records: names, contact details, payment history
- Employee data (if payroll module enabled): names, NI numbers, salary details, tax codes
- Documents: uploaded receipts, invoices, attachments
2.3 Usage Data
- Pages visited, features used, actions taken within the Platform
- Error logs and performance data (via Sentry)
- Device and browser information for HMRC fraud prevention headers (required by HMRC for Making Tax Digital submissions)
2.4 Communication Data
- Waitlist and request access form submissions
- Support emails
2.5 Data from Inbound Email
When enabled, emails forwarded to your company's inbound address are processed to extract attachments. Email metadata (sender, subject, timestamp) is logged. Attachments are processed through OCR and AI enrichment.
3. How We Use Your Data
3.1 Providing the Platform
- Processing and storing your financial data
- Generating reports, management accounts, and analytics
- Facilitating HMRC submissions (VAT MTD)
- Sending transactional emails (invoice delivery, chaser emails, notifications)
- Running AI analysis and agent features
3.2 AI Processing
Your financial data is sent to Anthropic's Claude API for the following purposes:
- Management accounts commentary and variance analysis
- Forecast analysis and assumption comparison
- Invoice chaser email drafting
- Client risk assessment narratives
- Bank transaction matching and categorisation
- Expense categorisation suggestions
- Period close summaries
- Eido Digest weekly intelligence briefing
- Eido Chat conversational analysis
Important:Anthropic does not use data submitted via their API to train their models. Data is processed in transit and not retained by Anthropic beyond the immediate request. See Anthropic's API Data Privacy documentation for details.
3.3 Improving the Platform
- Analysing anonymised, aggregated usage patterns to improve features
- Monitoring errors and performance (via Sentry)
- Calibrating AI confidence scores based on approval/correction rates (per-company, not shared)
3.4 Communication
- Sending account-related notifications
- Responding to support requests
- Sending product updates (with opt-out)
4. Legal Basis for Processing
| Purpose | Legal Basis |
|---|---|
| Providing the Platform | Performance of contract (Article 6(1)(b)) |
| HMRC submissions | Legal obligation (Article 6(1)(c)) |
| AI processing for Platform features | Legitimate interest (Article 6(1)(f)) — necessary to provide the AI-enhanced features you have signed up for |
| Improving the Platform | Legitimate interest (Article 6(1)(f)) |
| Marketing communications | Consent (Article 6(1)(a)) |
| Fraud prevention (HMRC headers) | Legal obligation (Article 6(1)(c)) |
5. Data Sharing
5.1 Third-Party Service Providers
We share data with the following providers solely for the purpose of operating the Platform:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database and authentication | All Platform data | [Check project region] |
| Vercel | Application hosting | Application code, request logs | Global CDN |
| Anthropic | AI analysis | Financial data in API requests | US (data not retained) |
| Resend | Transactional email | Email addresses, email content | US/EU |
| Sentry | Error monitoring | Error logs, device info | US/EU |
| HMRC | Tax submissions | VAT returns, fraud prevention headers | UK |
5.2 We Do Not
- Sell your personal data to any third party
- Share your data with advertisers
- Use your data for purposes unrelated to providing the Platform
- Share individual company data between Eido customers
5.3 Legal Requirements
We may disclose your data if required by law, regulation, legal process, or governmental request.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after termination |
| Financial records | Duration of account + 7 years (HMRC requirement) |
| Employee/payroll data | Duration of account + 7 years (HMRC requirement) |
| Uploaded documents | Duration of account (subject to storage limits) |
| Error logs (Sentry) | 90 days |
| Waitlist submissions | Until processed or 12 months |
| Inbound email logs | 90 days |
| Agent audit trail | Duration of account + 7 years |
After the retention period, data is securely deleted unless you request earlier deletion (subject to regulatory requirements — see Section 8).
7. Data Security
We implement appropriate technical and organisational measures to protect your data:
- All data transmitted via HTTPS/TLS encryption
- Database access controlled by Row Level Security (RLS) ensuring strict tenant isolation — each company can only access its own data
- Authentication via Supabase Auth with support for multi-factor authentication
- API keys and secrets stored as encrypted environment variables, never in source code
- Regular security audits and codebase reviews
- Admin and owner role requirements for sensitive operations (agent autonomy settings, period close, user management)
- Audit trail logging for all significant actions
8. Your Rights
Under UK GDPR, you have the following rights:
- Right of access — You may request a copy of the personal data we hold about you.
- Right to rectification — You may request correction of inaccurate data.
- Right to erasure — You may request deletion of your data, subject to regulatory retention requirements. We will inform you if deletion conflicts with HMRC record-keeping obligations and discuss options.
- Right to data portability— You may export your data in standard formats (CSV, PDF) via the Platform's data export feature at any time.
- Right to restrict processing — You may request we limit how we use your data.
- Right to object — You may object to processing based on legitimate interests. You may disable specific AI features in your settings.
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at admin@eidoapp.io. We will respond within 30 days.
9. Cookies
The Platform uses essential cookies for:
- Authentication session management (Supabase Auth)
- Security (CSRF protection)
We do not currently use analytics cookies, advertising cookies, or tracking cookies. If this changes, we will update this policy and implement a cookie consent mechanism.
10. International Transfers
Some of our service providers process data outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place:
- Anthropic (US): Data processed in transit only, not retained. Covered by Anthropic's API data processing terms.
- Vercel (US/Global): Standard Contractual Clauses.
- Sentry (US/EU): Standard Contractual Clauses.
11. Children
The Platform is not intended for individuals under 18 years of age. We do not knowingly collect data from children.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Platform. The "Last updated" date at the top indicates when the policy was last revised.
13. Complaints
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Phone: 0303 123 1113
14. Contact
Eido Technologies Ltd
Email: admin@eidoapp.io
Website: eidoapp.io