Last updated: 2026-05-10

Privacy Policy

This page explains what data Vupiy collects, why, who we share it with, how long we keep it, and the rights you have over your data under UK GDPR & the Data Protection Act 2018.

Note: this is a public draft. Before launch, this document must be reviewed by qualified UK legal counsel to verify compliance with UK GDPR, the Data Protection Act 2018, and ICO guidance. Treat the text below as a placeholder structure, not legal advice.

1. Who we are

Vupiy is a UK-registered software company providing accounting and invoicing services to UK businesses, freelancers and accountants. Contact: [email protected] · [email protected].

2. What we collect

We collect only what's needed to operate Vupiy:

  • Account data — name, email, password (hashed), 2FA secret, JWT sessions
  • Company data — company name, VAT number, address, banking details, Stripe API keys (encrypted at rest)
  • Operational data — customers, suppliers, products, invoices, expenses, schedule entries you create
  • Technical data — IP address, browser, device, usage logs (for security & debugging)
  • Payment data — billing records (handled by Stripe; we do not store full card numbers)

3. Why we collect it

Lawful bases under UK GDPR:

  • Contract — to provide the service you signed up for
  • Legitimate interest — to secure the service, prevent fraud, debug
  • Legal obligation — to comply with UK accounting record retention
  • Consent — for optional marketing emails (you can opt out anytime)

4. Who we share it with

We use a small number of UK/EU sub-processors to operate Vupiy. We do not sell your data, ever.

  • Hosting & database — UK/EU data-centre providers
  • Email delivery — transactional email services for invoices & notifications
  • Stripe — for subscription billing & per-tenant payment links
  • Google reCAPTCHA — for bot protection on auth flows
  • Customer support tooling — to handle your queries

A current sub-processor list is available on request.

5. How long we keep it

  • Account data — while your account is active + 30 days after cancellation
  • Operational data (invoices, expenses) — kept for the period required by UK accounting record retention rules (typically 6 years)
  • Technical logs — 90 days rolling
  • Backups — 30-day rolling retention

6. Your rights

Under UK GDPR you have the right to:

  • Access the data we hold about you
  • Correct inaccurate data
  • Delete your data (subject to retention obligations)
  • Port your data — Excel/PDF export from inside the app, plus REST API on Practice plans
  • Object to processing for legitimate-interest purposes
  • Withdraw consent for marketing
  • Complain to the UK ICO at ico.org.uk

Email [email protected] to exercise any of these.

7. Cookies

Vupiy uses essential cookies only — for authentication, session management, theme preference and security. We do not run advertising or third-party analytics that profile you. A full cookie list is in the in-app settings.

8. Security

Data in transit is encrypted with TLS 1.2+. Sensitive secrets (Stripe keys, 2FA secrets) are encrypted at rest. We use 2FA (TOTP) for admin access. Independent penetration tests are carried out annually.

9. Changes

If we materially change this policy we will email account holders & surface a banner inside the app. The "Last updated" date at the top is authoritative.

10. Contact

Privacy questions: [email protected]. Security disclosures: [email protected] or via our security.txt.