Legal

Privacy Policy

Last updated: 23 June 2026

Key point: Settlesol processes your uploaded financial files in memory only. We never store invoice amounts, customer names, supplier names, account balances, or any financial data from your uploaded files. Only metadata (run date, module, row count, status) is retained for audit purposes.

1. Who we are

Settlesol ("we", "us", "our") is a finance operations platform that automates invoice chasing and supplier statement reconciliation. Our registered contact is [email protected].

When you use Settlesol, you are the data controller for any personal data belonging to your customers, suppliers or employees that you upload or process through our platform. We act as your data processor for that data. This Privacy Policy covers the personal data we collect about you as a subscriber or user of Settlesol.

2. What personal data we collect

Category	Examples	How we collect it
Identity & contact	Name, email address, company name	You provide at registration
Account data	Login credentials, role, team member details	You provide at registration or via Settings
Billing data	Subscription plan, payment method (via Stripe — we never see full card numbers)	Stripe payment processor
Usage data	Module run history (metadata only — dates, row counts, status), feature usage, login times	Automatically, when you use the platform
Communications	Support emails, feedback	You provide directly
Device data	IP address, browser type, operating system	Automatically via server logs

3. What we do NOT collect or store

Settlesol does not store the contents of files you upload. Invoice amounts, customer names, supplier names, account balances, reference numbers, payment terms, and all other financial data from your CSV or PDF uploads are processed in memory only and permanently discarded after each session. This data never touches our database.

4. How we use your personal data

To provide the service — account management, module execution, team management, billing
To communicate with you — service updates, trial reminders, billing receipts, support responses
To improve the platform — anonymised usage analytics to understand feature usage
To enforce our terms — detecting abuse, fraud prevention
Legal compliance — responding to lawful requests from authorities

5. Legal basis for processing (GDPR)

Contract — processing your account data, billing data, and usage data is necessary to provide the service you subscribed to
Legitimate interest — security monitoring, platform improvement using anonymised data, direct marketing to existing subscribers
Legal obligation — retaining records required by law
Consent — for any marketing to prospective customers

6. Third parties we share data with

Provider	Purpose	Data shared
Stripe	Payment processing and subscription management	Email, billing details
Resend	Transactional email delivery (trial reminders, receipts)	Email address, name
Render	Cloud hosting and infrastructure (Frankfurt, EU)	All account data stored in our database
Cloudflare	DNS, CDN, DDoS protection	IP address, request metadata

We do not sell your personal data. We do not share it with advertisers or data brokers.

7. Data retention

Account data — retained for the duration of your subscription plus 90 days after cancellation, then deleted
Billing records — retained for 7 years (UK tax law requirement)
Module run metadata — retained for the duration of your account and deleted upon account deletion request
Uploaded file contents — never stored; discarded immediately after processing
Server logs — retained for 30 days, then deleted

8. Security

We implement technical and organisational measures to protect your personal data including:

Encryption in transit (TLS 1.2+) for all data; storage security managed by Render infrastructure
httpOnly, Secure, SameSite cookies for authentication
Row-level security (RLS) enforcing strict tenant data isolation
Rate limiting and CSRF protection on all endpoints
BCRYPT password hashing
Infrastructure hosted in Frankfurt (EU), Render platform

No method of electronic storage is completely secure. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours where required by law.

9. International transfers

Your data is stored on servers in Frankfurt, Germany (EU). Some of our sub-processors (Stripe, Resend) may process data in the United States under Standard Contractual Clauses and the EU-US Data Privacy Framework.

10. Your rights

Under UK GDPR and the Data Protection Act 2018, you have the right to:

Access — request a copy of the personal data we hold about you
Correction — request correction of inaccurate data
Deletion — request deletion of your personal data ("right to be forgotten")
Restriction — request we limit processing of your data
Portability — receive your data in a portable format
Object — object to processing based on legitimate interest

To exercise any right, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.

11. Cookies

Settlesol uses only essential cookies necessary for authentication. We do not use tracking, advertising or analytics cookies. See our Cookie Policy for details.

12. Changes to this policy

We may update this policy from time to time. We will notify you by email and in-app notification at least 14 days before material changes take effect. Continued use of the platform after that date constitutes acceptance of the updated policy.

13. Contact

Data controller: Settlesol
Email: [email protected]
Website: settlesol.com