Privacy Policy
Privacy Policy.
This Privacy Policy explains how Hello Bertie Ltd ("we", "us") collects, uses, shares, and protects your personal data when you use our app and services. We are the data controller for this data. We are registered with the Information Commissioner's Office (ICO), registration number [ICO ref].
Contact / Data Protection Officer: [dpo@hellobertie.com] · [registered address].
Prefer the short version? Read our Privacy at a Glance.
Contents
- The personal data we collect
- Why we use your data and our legal basis
- Automated decision-making
- Who we share data with
- International transfers
- How long we keep your data (retention)
- Deleting your data
- Your rights
- How we protect your data
- Cookies and similar technologies
- Children
- Changes to this Policy
1. The personal data we collect
- Identity & contact data: name, email, phone, date of birth, address.
- Account & authentication data: login credentials (stored securely), device identifiers, authentication logs.
- Financial data: bank and invoice information you connect — account details, balances, transactions, payee details, and payment instructions you make through the Service.
- Technical & usage data: IP address, device and app information, and how you use the Service.
- Communications: messages you send us (e.g. support and complaints).
We collect this from you directly, from your device, and — with your consent — from your bank via secure open-banking connections.
2. Why we use your data and our legal basis
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Provide the Service: show your invoices/accounts, initiate payments | Performance of our contract with you (Art. 6(1)(b)) |
| Authenticate you and secure your account | Contract; and legal obligation (SCA under PSRs 2017) |
| Prevent, detect and investigate fraud and financial crime | Legal obligation; and our legitimate interests (Art. 6(1)(f)) |
| Comply with FCA, anti-money-laundering and other legal duties | Legal obligation (Art. 6(1)(c)) |
| Improve and develop the Service | Legitimate interests, balanced against your rights |
| Send service messages | Contract |
| Send marketing (if any) | Consent (Art. 6(1)(a)), which you can withdraw anytime |
We do not sell your personal data. Where we rely on consent (e.g. to connect your bank), you can withdraw it at any time, though this may stop the Service working.
3. Automated decision-making
[Describe any automated processing — e.g. fraud scoring, categorisation, or any decisions the "agent" makes automatically. State whether any decision produces legal or similarly significant effects under Art. 22, and the safeguards and human-review options available. If Hello Bertie suggests or auto-initiates payments, explain the human-in-the-loop controls.]
4. Who we share data with
- Your bank / account providers, to read data and initiate payments you request.
- Service providers (processors) acting on our instructions — e.g. our cloud host [name], open-banking/data-access provider [name], identity-verification and analytics providers. They are bound by contract and may only use your data for the purposes we set.
- Regulators, law enforcement and other authorities where required by law (e.g. FCA, ICO, National Crime Agency).
- A buyer or successor if our business is reorganised or sold, subject to this Policy.
5. International transfers
[Where any data is transferred outside the UK, identify the countries and the safeguard used — UK adequacy regulations, the International Data Transfer Agreement / UK Addendum to the EU SCCs, or another lawful mechanism.]
6. How long we keep your data (retention)
We keep personal data only as long as necessary for the purposes above. In particular:
- Transaction and payment records and financial-crime records: [5–6] years after the relationship ends (to meet PSRs/AML/tax obligations).
- Account data: deleted or anonymised within [X months] of account closure, unless a longer legal retention period applies.
A full retention schedule is maintained internally at [link].
7. Deleting your data
You can ask us to delete your account and personal data at any time via [in-app setting] or [dpo email]. We will delete it unless we are legally required to keep certain records (e.g. AML/transaction history), in which case we will restrict it and delete it once the retention period ends.
8. Your rights
Under UK data protection law you have the right to: be informed; access your data; have inaccurate data corrected; have data erased; restrict or object to processing; data portability; and to withdraw consent. You also have the right not to be subject to solely automated decisions with significant effects (Art. 22). To exercise any right, contact [dpo email]. We will respond within one month.
If you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ico.org.uk, 0303 123 1113). We'd appreciate the chance to address it first.
9. How we protect your data
We use encryption in transit and at rest, strong access controls, multi-factor authentication, and continuous monitoring. See our Security Statement for a summary and our internal Information Security Policy for detail.
10. Cookies and similar technologies
[Summarise here and/or link to a separate Cookie Policy, required under PECR. Cover essential vs non-essential cookies and how to manage consent.]
11. Children
The Service is not for under-18s and we do not knowingly collect their data.
12. Changes to this Policy
We may update this Policy and will post the new version with a revised date; we will notify you of material changes.
← Back to home