Privacy Policy

Last updated: 5 May 2026 • Version: 1.0

1. Who we are

Repayas Limited ("Repayas," "we," "us," or "our") is a company registered in the United Kingdom. Our registered office is 20-22 Wenlock Road, London, England, N1 7GU.

We are the data controller for the personal data we collect about you when you use our service.

If you have any questions about this Privacy Policy or how we handle your data, contact us at privacy@repayas.com.

2. What this policy covers

This policy explains:

  • What personal data we collect about you
  • How we collect it
  • Why we collect it and the legal basis for processing
  • Who we share it with
  • How long we keep it
  • Your rights and how to exercise them

This policy applies to your use of:

  • The Repayas web application at repayas.com and its subdomains
  • The Friday SMS service
  • All Repayas communications (email, SMS, support)

3. What personal data we collect

We collect the following categories of personal data:

Identity data

  • Your full name
  • Your business name
  • Your date of birth
  • Your residential address (postcode area used for verification)
  • Your mobile phone number
  • Your email address

Verification data

  • Your business's Companies House registration number
  • Your VAT registration number
  • Your HMRC Unique Tax Reference (UTR), if you are a sole trader

Financial data

  • Transaction data from your connected bank accounts (date, amount, description, merchant, direction)
  • Account balances at the time of sync
  • The classification of accounts as Operating or Reserve, as you have tagged them
  • Calculated values produced by Repayas: Safe-to-Spend, VAT Due, Buffer, Unprotected Liability, Coverage Ratio
  • Records of recommendations issued and whether you acted on them

Usage data

  • Pages you view in the Repayas application
  • Features you use
  • Time and date of your visits
  • Approximate location (derived from IP address — city level only)

Communication data

  • Records of your contact with our support team
  • Records of SMS messages we send you
  • Your preferences about communications

4. How we collect your data

We collect personal data in three ways:

Directly from you, when you:

  • Sign up for a Repayas account
  • Enter your business details
  • Tag your bank accounts as Operating or Reserve
  • Contact our support team
  • Respond to surveys

Automatically, when you:

  • Use the Repayas application (usage data, device information)
  • Receive SMS messages (delivery status only)

From third parties, specifically:

  • TrueLayer (an FCA-authorised Account Information Service Provider) — we access your bank transaction data and balances through TrueLayer with your explicit Open Banking consent. We never see your banking credentials, never store your password, and never have access to move funds.
  • Companies House (UK government registry) — we verify your business's registration details using the public Companies House API at the point of sign-up.

5. Why we collect your data and the legal basis

We process your personal data on the following legal bases under UK GDPR:

Performance of a contract (the primary basis)

To deliver the Repayas service to you, including:

  • Calculating your Safe-to-Spend number
  • Detecting VAT liability from your transactions
  • Sending the Friday SMS
  • Maintaining your account

Legitimate interests

To run our business effectively, including:

  • Detecting and preventing fraud
  • Improving the Repayas product based on aggregate usage patterns
  • Sending you product updates and important service announcements

We have assessed that these legitimate interests do not override your privacy rights. You can object to processing on this basis at any time.

Legal obligation

Where we are required to retain or disclose data under UK law, including:

  • Tax records
  • Anti-money laundering obligations (when we extend to financing in future product versions)
  • Responses to lawful requests from regulators or law enforcement

Consent

For specific optional features, including:

  • Sharing your data with a nominated accountant
  • Marketing communications (you can withdraw consent at any time)

6. Who we share your data with

We share your personal data with a limited number of third parties:

Service providers acting on our behalf:

  • TrueLayer (UK) — Open Banking infrastructure
  • Twilio (Ireland for UK customers) — SMS delivery
  • Vercel (USA, with UK data residency where available) — application hosting
  • Supabase (USA, EU regions selected) — database hosting
  • Stripe (Ireland for UK customers) — subscription billing

All service providers are bound by data processing agreements and are required to handle your data in accordance with UK GDPR.

Your accountant (only if you choose to invite them)

If you provide your accountant's email and send them an invite, we share a summary of your Safe-to-Spend position with them. We do not share full transaction data with your accountant unless you specifically authorise it.

Legal and regulatory authorities

We may disclose your data if required by law, including in response to court orders, valid regulatory requests, or to prevent or detect crime.

In the event of a business transfer

If Repayas is acquired or merges with another business, your data may transfer to the new entity. You will be notified of any such change.

We do not sell your data to anyone, ever.

We do not share your data with advertisers. We do not allow third parties to access your data for marketing purposes.

7. International data transfers

Some of our service providers are based outside the UK. When we transfer your data internationally, we ensure it is protected by:

  • The UK's adequacy decision for EU/EEA countries
  • UK International Data Transfer Agreements (IDTAs) for transfers to the USA and other non-adequate countries
  • Standard Contractual Clauses where required

You can request a copy of these safeguards by emailing privacy@repayas.com.

8. How long we keep your data

We retain your data for as long as it is needed for the purposes set out in this policy:

Data categoryRetention period
Active account dataWhile your account is active
Transaction dataWhile your account is active, plus 12 months after closure
Calculation records7 years (UK tax law requirement)
Communications3 years
Marketing preferencesUntil you withdraw consent
Audit logs7 years (financial regulation requirement)

After these periods, your data is securely deleted or anonymised.

9. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — correct any inaccurate or incomplete data
  • Right to erasure — request deletion of your data (subject to legal retention requirements)
  • Right to restrict processing — limit how we use your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where consent is the basis for processing

To exercise any of these rights, email privacy@repayas.com. We will respond within one month.

If you are not satisfied with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by phone on 0303 123 1113.

10. How we keep your data secure

We use industry-standard security measures including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Multi-factor authentication for our team's access to systems
  • Regular security audits and penetration testing
  • Role-based access control — staff only see data they need
  • No banking credentials stored — Open Banking access is mediated by TrueLayer

If a data breach occurs that is likely to affect your rights, we will notify you and the ICO within 72 hours.

11. Cookies and tracking

We use a limited number of essential cookies to make Repayas work. See our Cookie Policy for full details.

12. Changes to this policy

We may update this policy from time to time. When we do, we will:

  • Update the "Last updated" date at the top
  • Notify you by email if the changes are material
  • Provide reasonable notice before the changes take effect

The most current version is always available at repayas.com/privacy.

13. Contact us

For privacy-related questions or to exercise your rights:

Email: privacy@repayas.com

Post: Repayas Limited, 20-22 Wenlock Road, London, England, N1 7GU