Privacy Policy
Last updated: 5 May 2026 • Version: 1.0
1. Who we are
Repayas Limited ("Repayas," "we," "us," or "our") is a company registered in the United Kingdom. Our registered office is 20-22 Wenlock Road, London, England, N1 7GU.
We are the data controller for the personal data we collect about you when you use our service.
If you have any questions about this Privacy Policy or how we handle your data, contact us at privacy@repayas.com.
2. What this policy covers
This policy explains:
- What personal data we collect about you
- How we collect it
- Why we collect it and the legal basis for processing
- Who we share it with
- How long we keep it
- Your rights and how to exercise them
This policy applies to your use of:
- The Repayas web application at repayas.com and its subdomains
- The Friday SMS service
- All Repayas communications (email, SMS, support)
3. What personal data we collect
We collect the following categories of personal data:
Identity data
- Your full name
- Your business name
- Your date of birth
- Your residential address (postcode area used for verification)
- Your mobile phone number
- Your email address
Verification data
- Your business's Companies House registration number
- Your VAT registration number
- Your HMRC Unique Tax Reference (UTR), if you are a sole trader
Financial data
- Transaction data from your connected bank accounts (date, amount, description, merchant, direction)
- Account balances at the time of sync
- The classification of accounts as Operating or Reserve, as you have tagged them
- Calculated values produced by Repayas: Safe-to-Spend, VAT Due, Buffer, Unprotected Liability, Coverage Ratio
- Records of recommendations issued and whether you acted on them
Usage data
- Pages you view in the Repayas application
- Features you use
- Time and date of your visits
- Approximate location (derived from IP address — city level only)
Communication data
- Records of your contact with our support team
- Records of SMS messages we send you
- Your preferences about communications
4. How we collect your data
We collect personal data in three ways:
Directly from you, when you:
- Sign up for a Repayas account
- Enter your business details
- Tag your bank accounts as Operating or Reserve
- Contact our support team
- Respond to surveys
Automatically, when you:
- Use the Repayas application (usage data, device information)
- Receive SMS messages (delivery status only)
From third parties, specifically:
- TrueLayer (an FCA-authorised Account Information Service Provider) — we access your bank transaction data and balances through TrueLayer with your explicit Open Banking consent. We never see your banking credentials, never store your password, and never have access to move funds.
- Companies House (UK government registry) — we verify your business's registration details using the public Companies House API at the point of sign-up.
5. Why we collect your data and the legal basis
We process your personal data on the following legal bases under UK GDPR:
Performance of a contract (the primary basis)
To deliver the Repayas service to you, including:
- Calculating your Safe-to-Spend number
- Detecting VAT liability from your transactions
- Sending the Friday SMS
- Maintaining your account
Legitimate interests
To run our business effectively, including:
- Detecting and preventing fraud
- Improving the Repayas product based on aggregate usage patterns
- Sending you product updates and important service announcements
We have assessed that these legitimate interests do not override your privacy rights. You can object to processing on this basis at any time.
Legal obligation
Where we are required to retain or disclose data under UK law, including:
- Tax records
- Anti-money laundering obligations (when we extend to financing in future product versions)
- Responses to lawful requests from regulators or law enforcement
Consent
For specific optional features, including:
- Sharing your data with a nominated accountant
- Marketing communications (you can withdraw consent at any time)
6. Who we share your data with
We share your personal data with a limited number of third parties:
Service providers acting on our behalf:
- TrueLayer (UK) — Open Banking infrastructure
- Twilio (Ireland for UK customers) — SMS delivery
- Vercel (USA, with UK data residency where available) — application hosting
- Supabase (USA, EU regions selected) — database hosting
- Stripe (Ireland for UK customers) — subscription billing
All service providers are bound by data processing agreements and are required to handle your data in accordance with UK GDPR.
Your accountant (only if you choose to invite them)
If you provide your accountant's email and send them an invite, we share a summary of your Safe-to-Spend position with them. We do not share full transaction data with your accountant unless you specifically authorise it.
Legal and regulatory authorities
We may disclose your data if required by law, including in response to court orders, valid regulatory requests, or to prevent or detect crime.
In the event of a business transfer
If Repayas is acquired or merges with another business, your data may transfer to the new entity. You will be notified of any such change.
We do not sell your data to anyone, ever.
We do not share your data with advertisers. We do not allow third parties to access your data for marketing purposes.
7. International data transfers
Some of our service providers are based outside the UK. When we transfer your data internationally, we ensure it is protected by:
- The UK's adequacy decision for EU/EEA countries
- UK International Data Transfer Agreements (IDTAs) for transfers to the USA and other non-adequate countries
- Standard Contractual Clauses where required
You can request a copy of these safeguards by emailing privacy@repayas.com.
8. How long we keep your data
We retain your data for as long as it is needed for the purposes set out in this policy:
| Data category | Retention period |
|---|---|
| Active account data | While your account is active |
| Transaction data | While your account is active, plus 12 months after closure |
| Calculation records | 7 years (UK tax law requirement) |
| Communications | 3 years |
| Marketing preferences | Until you withdraw consent |
| Audit logs | 7 years (financial regulation requirement) |
After these periods, your data is securely deleted or anonymised.
9. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — correct any inaccurate or incomplete data
- Right to erasure — request deletion of your data (subject to legal retention requirements)
- Right to restrict processing — limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where consent is the basis for processing
To exercise any of these rights, email privacy@repayas.com. We will respond within one month.
If you are not satisfied with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by phone on 0303 123 1113.
10. How we keep your data secure
We use industry-standard security measures including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Multi-factor authentication for our team's access to systems
- Regular security audits and penetration testing
- Role-based access control — staff only see data they need
- No banking credentials stored — Open Banking access is mediated by TrueLayer
If a data breach occurs that is likely to affect your rights, we will notify you and the ICO within 72 hours.
11. Cookies and tracking
We use a limited number of essential cookies to make Repayas work. See our Cookie Policy for full details.
12. Changes to this policy
We may update this policy from time to time. When we do, we will:
- Update the "Last updated" date at the top
- Notify you by email if the changes are material
- Provide reasonable notice before the changes take effect
The most current version is always available at repayas.com/privacy.
13. Contact us
For privacy-related questions or to exercise your rights:
Email: privacy@repayas.com
Post: Repayas Limited, 20-22 Wenlock Road, London, England, N1 7GU