Skip to main content

Compliance

UK GDPR Compliance

Last updated: 19 March 2026

Our approach

Fineproof (operated by SBIA LIMITED) is built with data protection by design and by default. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data protection by design

Data protection is embedded into the development process from the outset:

  • All database queries enforce Row Level Security (RLS) — users can only access their own data
  • Personal data is encrypted at rest and in transit
  • We collect only the data necessary to provide the service (data minimisation)
  • Automated data retention policies delete data when no longer needed
  • Privacy impact assessments are conducted for new features that process personal data

Lawful basis for processing

We process personal data under the following lawful bases (UK GDPR Article 6):

  • Contract performance — to provide the Fineproof service to you
  • Legal obligation — for AML checks (Money Laundering Regulations 2017) and HMRC submissions
  • Legitimate interest — for fraud prevention, product improvement, and security monitoring
  • Consent — for marketing communications and analytics cookies

For full details, see our Privacy Policy.

Your rights

Under the UK GDPR, you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data. You also have the right to withdraw consent and to not be subject to automated decision-making.

To exercise any of these rights, email privacy@fineproof.co.uk. We will respond within 30 days.

Data Processing Agreement (DPA)

If you are a business customer (data controller) using Fineproof to process personal data on behalf of your tenants or clients, we provide a Data Processing Agreement compliant with UK GDPR Article 28.

To request a DPA, email legal@fineproof.co.uk.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for any processing that is likely to result in a high risk to individuals' rights and freedoms. This includes:

  • Processing of financial data for MTD submissions
  • Identity verification (AML) using third-party providers
  • Automated categorisation of income and expenses

International data transfers

Our primary infrastructure is hosted in the UK (AWS eu-west-2, London). Where data is processed by sub-processors outside the UK, we ensure adequate safeguards are in place, including Standard Contractual Clauses and UK adequacy decisions.

For a full list of sub-processors, see our Security page.

Breach notification

In the event of a personal data breach, we will:

  • Notify the ICO within 72 hours where the breach is likely to result in a risk to individuals
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk
  • Document the breach, its effects, and corrective action taken

Contact

Data Protection queries: privacy@fineproof.co.uk

Supervisory authority: Information Commissioner's Office (ICO)