Privacy Policy

Scale Platforms Ltd ("we", "us", "our") operates digital applications and services. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

Scale Platforms Ltd
Company No. 17006761
Email: privacy@scaleplatforms.co.uk

2. Data We Collect

2.1 Account Data

Data	Purpose	Lawful Basis
Email address	Account login, notifications	Contract performance
Name	Display in app	Contract performance
Auth0 user ID	User identification and data isolation	Contract performance
Authentication method	Passkey or password login	Contract performance

2.2 Receipt Data

Data	Purpose	Lawful Basis
Receipt images	OCR extraction and record-keeping	Contract performance
Merchant name and address	Expense categorisation	Contract performance
Transaction date and time	Tax year assignment	Contract performance
Line items and prices	Categorisation and totals	Contract performance
VAT amounts	HMRC self-assessment support	Contract performance
Category and HMRC category	Tax reporting	Contract performance

2.3 Project Data

Data	Purpose	Lawful Basis
Project names	Job costing and organisation	Contract performance
Client names	Job tracking	Contract performance
Budget amounts	Financial tracking	Contract performance

2.4 Budget Data

Data	Purpose	Lawful Basis
Budget names and amounts	Household spending tracking	Contract performance
Category limits	Spending alerts	Contract performance

2.5 Technical Data

Data	Purpose	Lawful Basis
IP address	Security, abuse prevention	Legitimate interest
Browser/device type	Service optimisation	Legitimate interest
Application logs	Debugging and service reliability	Legitimate interest

3. How We Use Your Data

We use your data exclusively to:

1. Provide the service: Process receipt images, extract data via OCR, categorise expenses, and store records.
2. Authenticate you: Verify your identity via Auth0 to protect your account.
3. Isolate your data: Ensure you only see your own receipts, projects, and budgets.
4. Generate reports: Produce CSV exports and summaries for tax returns or household tracking.
5. Improve the service: Analyse anonymised usage patterns to improve features (no personal data shared).

We do not:

• Sell your personal data to third parties.
• Use your data for advertising.
• Share your receipt images or financial data with anyone.

4. Data Processing and Sub-Processors

We use the following sub-processors to deliver our service:

Sub-Processor	Purpose	Data Processed	Location
Microsoft Azure	Cloud hosting, storage, database	All service data	UK South (London)
Azure Document Intelligence	OCR receipt scanning	Receipt images (processed in-memory, not retained)	UK South
Azure OpenAI	AI categorisation fallback	Receipt text (processed in-memory, not retained)	UK South
Auth0 (Okta)	Authentication	Email, name, login credentials	EU (UK region)

All sub-processors are bound by data processing agreements. Azure services are configured in the UK South region to maintain UK data residency.

5. Data Storage and Security

5.1 Storage

• Receipt images: Azure Blob Storage (UK South), encrypted at rest (AES-256), access controlled by user ID prefix.
• Receipt data: Azure Cosmos DB (UK South), encrypted at rest, partitioned by user for data isolation.
• Authentication tokens: Stored in browser memory only (not persisted to disk).

5.2 Security Measures

• All data transmitted over TLS 1.2+.
• Authentication via Auth0 with JWT tokens (RS256 signed).
• Managed Identity for service-to-service authentication (no API keys in code).
• All database queries filtered by authenticated user ID.
• Passkey support (FIDO2) for phishing-resistant authentication.

6. Data Retention

Data Type	Retention Period	Justification
Receipt data and images	Until you delete them, or account closure + 30 days	HMRC requires 5-year record keeping; we leave retention to you
Account data	Until account closure + 30 days	Contract performance
Application logs	30 days	Debugging and operational support
Authentication logs	90 days (Auth0)	Security monitoring

You can delete individual receipts at any time via the app. Deleted data is permanently removed from our database and blob storage.

7. Your Rights (UK GDPR)

You have the following rights under UK GDPR:

Right	How to Exercise
Access	Export your data via CSV export in the app, or email us
Rectification	Edit receipt details directly in the app
Erasure	Delete receipts in the app, or request full account deletion
Data Portability	Use CSV export to download your data
Restrict Processing	Email us to restrict processing
Object	Email us to object to processing
Withdraw Consent	Where consent is the basis, withdraw at any time

Contact: privacy@scaleplatforms.co.uk. We respond within 30 days.

8. International Transfers

Your data is processed and stored in the United Kingdom (Azure UK South region). Authentication data is processed by Auth0 in the EU region.

We do not transfer your data outside the UK/EEA. If this changes, we will update this policy and ensure appropriate safeguards (Standard Contractual Clauses or UK adequacy decisions) are in place.

9. Children's Data

Our service is not directed at individuals under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. The "Last Updated" date at the top of this page indicates when the policy was last revised.

11. Complaints

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113

12. Contact Us

For any privacy-related questions or requests:

Email: privacy@scaleplatforms.co.uk