Skip to main content
← Back to Fineproof

Privacy Policy

Last updated: 2 April 2026

1. Who We Are

Fineproof is a trading name of SBIA Limited, a company registered in England and Wales. We are the data controller for the personal data we process through the Fineproof platform at fineproof.co.uk.

Contact: privacy@fineproof.co.uk

2. What Data We Collect

We collect and process the following categories of personal data:

  • Account data — full name, email address, and authentication credentials (via Google OAuth or email/password)
  • Property data — addresses, EPC ratings, gas safety and EICR certificate details, tenancy information
  • Financial data — rental income and expense records, bank transaction data (via TrueLayer), HMRC MTD submission records
  • Tenant data — names and AML verification records where you use our compliance checking features
  • Billing data — processed by Stripe; we do not store your full card details
  • Usage data — pages visited, features used, device type, and IP address

3. How We Use Your Data

We process your data for the following purposes under the stated legal bases:

  • Providing the service (contract) — managing your properties, tracking compliance deadlines, filing MTD returns
  • Processing payments (contract) — managing your subscription via Stripe
  • Sending compliance alerts (legitimate interest) — notifying you of expiring certificates, upcoming deadlines
  • Improving the platform (legitimate interest) — analysing usage patterns to enhance features
  • Legal obligations — retaining records as required by UK tax and financial regulations

4. Third-Party Processors

We share your data with the following processors, all of which maintain appropriate safeguards:

  • Supabase (EU region) — database hosting and authentication
  • Stripe — payment processing (PCI DSS Level 1 compliant)
  • Resend — transactional email delivery
  • TrueLayer — open banking data retrieval (FCA regulated)
  • Vercel — application hosting

5. Data Retention

We retain your data as follows:

  • Account data — retained while your account is active, deleted within 30 days of account closure
  • Financial records — retained for 7 years as required by HMRC
  • Usage data — retained for 12 months
  • Compliance certificates — retained while your account is active or as required by law

6. Your Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data (subject to legal retention requirements)
  • Portability — receive your data in a machine-readable format
  • Object — object to processing based on legitimate interest
  • Withdraw consent — where processing is based on consent

To exercise any of these rights, email privacy@fineproof.co.uk. We will respond within 30 days.

7. Cookies

We use the following cookies:

  • Essential cookies — authentication session, subscription cache (fp_has_sub)
  • Analytics cookies — anonymous usage analytics (only with your consent)

You can manage cookie preferences via the banner shown on your first visit.

8. Data Security

We implement appropriate technical and organisational measures including: encryption in transit (TLS 1.3), encryption at rest (AES-256), row-level security on all database tables, and regular security reviews.

9. International Transfers

Your data may be processed in the EU/EEA (Supabase) and the United States (Vercel, Stripe). Where data is transferred outside the UK, we ensure adequate safeguards are in place through Standard Contractual Clauses or adequacy decisions.

10. Complaints

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notification. The “last updated” date at the top of this page reflects the most recent revision.