Privacy policy

Effective date: 20 April 2026

Last updated: 20 April 2026

This Privacy Policy explains how PIPERNUS GROUP LTD (“we”, “us”, “our”) collects, uses, shares and protects personal data when you use Pipernus — our accounting and receipt-capture service — available through our website (https://pipernus.com) and our mobile application (together, the “Service”).

We are the data controller for personal data processed through the Service. We are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

Data controller: PIPERNUS GROUP LTD

Registered office: 2 Lakeside Drive, 6th Floor, Park Royal, C/O London Do It Ltd, London, England, NW10 7FQ, United Kingdom

Company number: 15880060 (registered in England and Wales)

ICO registration number: ZC127928

Contact email: hello@pipernus.com

If you have any questions about this policy or about how we handle your personal data, please contact us at hello@pipernus.com.

2. What personal data we collect

We only collect data that is necessary to deliver the Service.

2.1 Data you provide directly

Account information: email address, password (stored hashed), full name (optional).
Company and business information: company name, VAT number, company type, accounting period, chart of accounts.
Receipts, invoices and accounting records: images of receipts and invoices that you upload, together with the financial data extracted from them (supplier, date, amount, VAT, category).
Bank and transaction data: if you choose to connect a bank feed or manually import transactions.
Support communications: the content of any emails or messages you send us.

2.2 Data we collect automatically

Device information: device model, operating system version, app version, language, time zone.
Usage data: pages/screens visited, actions performed within the app, session duration, error and crash diagnostics.
Technical logs: IP address, approximate location (derived from IP at country/region level only), date and time of requests.
Security signals: device integrity indicators (e.g. whether the device appears to be rooted or jailbroken), used solely to protect your account.

2.3 Data we do not collect

We do not track your precise GPS location.
We do not access your contacts, calendar or microphone.
We do not use advertising identifiers or third-party advertising networks.
We do not sell your personal data to third parties.

3. Why we use your personal data (purposes and legal bases)

Under UK GDPR, we must have a lawful basis to process your personal data. We rely on the following bases:

Purpose	Lawful basis (UK GDPR Art. 6)
Creating and managing your account	Contract (Art. 6(1)(b))
Providing the core accounting and receipt-capture features	Contract
Processing your payment for a paid subscription	Contract
Sending you transactional emails (password reset, receipts, account notices)	Contract
Improving the Service, diagnosing errors, protecting against fraud and abuse	Legitimate interests (Art. 6(1)(f))
Keeping accounting and tax records as required by UK law	Legal obligation (Art. 6(1)(c))
Sending marketing emails (only if you opt in)	Consent (Art. 6(1)(a)) — withdrawable at any time

4. Who we share data with (data processors)

We do not sell or rent your personal data. We share data only with carefully selected processors that act on our instructions under a written Data Processing Agreement:

Supabase Inc. (United States) — database, authentication and file storage.
Google LLC — Google Play distribution (Android) and Firebase services used for crash reporting (mapping anonymised crash reports to our code).
Apple Inc. — App Store distribution (iOS) once released.
Cloudflare, Inc. — website hosting, CDN and DDoS protection.
HMRC — only where legally required (e.g. Making Tax Digital submissions you explicitly initiate).
Professional advisers — accountants, auditors and lawyers under duties of confidentiality.
Law enforcement or regulators — only where we are legally compelled to do so.

A full, up-to-date list of sub-processors is available on request.

5. International transfers

Some of our processors (notably Supabase Inc.) are located in the United States. Where personal data is transferred outside the UK, we rely on:

the UK Addendum to the EU Standard Contractual Clauses (SCCs), and / or
the UK Extension to the EU–US Data Privacy Framework, where the recipient is certified.

A copy of the safeguards we rely on is available on request.

6. How long we keep your data

We keep personal data only for as long as necessary for the purposes for which we collected it:

Account data — for as long as your account is active, plus 30 days after you request deletion (grace period).
Accounting and tax records — at least 6 years after the end of the last accounting period to which they relate. This is a legal retention requirement under UK tax law (HMRC). We retain these records even after account deletion.
Support correspondence — up to 3 years.
Security and audit logs — up to 12 months.
Backups — deleted data may persist in encrypted backups for up to 90 days before being overwritten.

At the end of each period, we securely delete or anonymise the data.

7. Your rights under UK GDPR

You have the following rights in relation to your personal data:

Right of access — obtain a copy of the data we hold about you.
Right to rectification — correct any inaccurate or incomplete data.
Right to erasure (“right to be forgotten”) — request deletion of your personal data, subject to the retention exceptions listed in section 6.
Right to restrict processing — ask us to pause processing in certain circumstances.
Right to data portability — receive your data in a structured, machine-readable format (CSV / JSON).
Right to object — object to processing based on legitimate interests.
Right to withdraw consent — where processing is based on consent.
Right not to be subject to solely automated decisions — we do not make decisions about you that produce legal or similarly significant effects solely by automated means.

To exercise any of these rights, email hello@pipernus.com. We will respond within one month.

If you are unhappy with our response, you have the right to complain to the Information Commissioner’s Office (ICO):

Website: https://ico.org.uk

Phone: 0303 123 1113

Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

8. How to delete your account

You can delete your account and associated personal data at any time:

In the app: go to Settings → Delete account, and follow the confirmation steps. (Note: if the in-app option is not yet available in your app version, use the web method below.)
On the web: visit https://www.pipernus.com/account-deletion/ and submit the form with the email address registered to your account, or email us at hello@pipernus.com from that address requesting deletion.

What happens after deletion:

Your account is deactivated immediately.
Personal data and receipts you uploaded are permanently deleted within 30 days.
Data that we are legally required to retain (e.g. accounting records for HMRC) is moved to restricted storage and kept for the statutory retention period (see section 6).
Backups containing your data are overwritten within 90 days.

Deletion is permanent and cannot be undone. Please export any records you wish to keep before deleting your account.

9. Security

We protect your data using:

Encryption in transit: all traffic between your device and our servers uses TLS 1.2 or higher.
Encryption at rest: databases and file storage are encrypted on disk.
Access controls: role-based access, multi-factor authentication for our staff, least-privilege permissions.
Row-level security: each organisation’s data is isolated at the database level.
Device integrity checks: the mobile app checks for signs of tampering (root / jailbreak) and restricts sensitive operations on compromised devices.
Code hardening: the Android release is minified and obfuscated (R8 full mode) to reduce reverse-engineering risk.
Regular audits and vulnerability scanning.

No system is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and, where required, notify you without undue delay.

10. Cookies and similar technologies

Our website uses a small number of strictly necessary cookies (session, authentication, CSRF protection). We do not use advertising, profiling or cross-site tracking cookies.

The mobile app does not use web cookies. It uses local secure storage to keep you signed in on your device.

11. Children

The Service is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact hello@pipernus.com and we will delete it.

12. Changes to this policy

We may update this policy from time to time to reflect changes in the Service, in law, or in our practices. When we make material changes we will notify you by email or through an in-app notice at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the latest version.

13. Contact us

Email: hello@pipernus.com

Website: https://pipernus.com

Postal address: PIPERNUS GROUP LTD, 2 Lakeside Drive, 6th Floor, Park Royal, C/O London Do It Ltd, London, England, NW10 7FQ, United Kingdom

This policy was last updated on 20 April 2026.