Privacy Policy

Last updated: 15 May 2026

1. Who We Are

GraftLog is operated by GraftLog Ltd, a company registered in England and Wales. We act as the data controller for personal data you submit to the GraftLog platform.

Company: GraftLog Ltd
Registered address: [to be added once Companies House details are confirmed]
Company number: [to be added]
ICO registration: [to be added once registered with the Information Commissioner's Office]
Contact: graftlog.com/contact

2. Information We Collect

We collect the following categories of information:

  • Account information: Name, email address, phone number (optional), business name (optional), trade type, and postcode when you register.
  • Business data: Quotes, invoices, expenses, client details, job records, bank details (if you choose to add them), and any other financial information you enter.
  • Receipt images: When you scan a receipt, the image is sent to our OCR provider (Mistral) for text extraction. Receipt images may be stored in our object storage so you can re-view them against the parsed expense.
  • Payment information: Subscription status and billing data processed by Stripe. We do not see or store your full card details.
  • Usage data: Pages visited, features used, error logs and similar diagnostic data, used to operate and improve the service.
  • Cookies: Essential cookies for sign-in and security only. We do not run advertising or third-party tracking cookies.

3. Lawful Basis & How We Use Your Information

We rely on the following lawful bases under UK GDPR Article 6:

  • Contract (Art. 6(1)(b)): to provide the platform, process payments, generate quotes/invoices and respond to support requests.
  • Legitimate interests (Art. 6(1)(f)): to keep the service secure, detect abuse, improve features and contact you about material service changes.
  • Legal obligation (Art. 6(1)(c)): to retain financial records as required by UK tax and company law.
  • Consent (Art. 6(1)(a)): only used where explicitly requested (for example, optional marketing emails).

4. Data Storage, Location and Security

Your data is stored on Cloudflare's infrastructure inside the UK / EU region. Data is encrypted at rest (AES-256) by our hosting providers and in transit using TLS. Access to production systems is restricted and authenticated.

5. Sub-processors & Data Sharing

We do not sell your personal data. We use carefully selected sub-processors:

  • Cloudflare: hosting, database (D1), object storage (R2), CDN, DDoS protection.
  • Clerk: authentication and session management.
  • Stripe: subscription billing and payment processing.
  • Mistral: AI receipt OCR and quote/invoice item generation.
  • Resend (or equivalent): transactional email delivery.
  • Plausible / PostHog (when enabled): privacy-respecting product analytics.

See our sub-processors pagefor the full list and links to each provider's privacy terms.

We will never share your business data (quotes, invoices, client details) with third parties without your explicit consent, except where required by law or to comply with a valid request from HMRC or a UK court.

6. Your Rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (subject to our legal retention obligations)
  • Export your data in a portable format — CSV exports are available in-app, and a full account export can be requested via our contact form
  • Object to processing of your data
  • Withdraw consent at any time where consent is the basis
  • Lodge a complaint with the Information Commissioner's Office (ico.org.uk)

To exercise any of these rights, contact us via the contact page. We will respond within one month.

7. Data Retention

  • Account & business data: retained while your account is active.
  • After cancellation: retained for 90 days so you can reactivate, then deleted.
  • Financial records (invoices, expenses): retained for up to 7 years where required by HMRC under UK tax law, then deleted.
  • Receipt images: retained alongside the related expense; lifecycle-deleted from object storage 7 years after the relevant tax year.
  • Operational logs: retained for up to 30 days for debugging and abuse detection, then deleted.

8. Cookies

We use only essential cookies required for sign-in and CSRF protection. We do not use advertising, profiling, or third-party tracking cookies. If we introduce analytics in future, we will use a privacy-respecting service (no third-party tracking, no PII) or add a consent banner before enabling it.

9. International Transfers

Some of our sub-processors (notably Stripe and Clerk) may transfer data outside the UK. Where this happens, transfers rely on the UK's International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an applicable adequacy decision.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be notified to you by email or via an in-app notice at least 30 days before they take effect.

11. Contact Us

For any privacy questions or to exercise your data rights, please contact us via our contact page.