Privacy Policy
Fidora is a service provided by Fidora Ltd (“we”, “us”, “our”), a company registered in England and Wales (company number 17316037). This policy explains how we collect, use, store and protect your personal data when you use Fidora (the “Service”), and your rights under the UK GDPR and the Data Protection Act 2018.
1. Who we are
Fidora Ltd is the data controller for personal data processed through the Service. You can contact us about privacy at hello@fidora.co.uk.
2. Data we collect
- Account data — your name, email address, a securely hashed password, and two-factor authentication data.
- Individual tax details you enter — full name, Unique Taxpayer Reference (UTR) and National Insurance number, for the people you plan tax for.
- Company data — company numbers you add, and information retrieved from the Companies House public register (officers, filings, accounts).
- Financial data (read-only) — where you authorise it, information retrieved from Xero and HMRC: VAT obligations/liabilities/returns, Self Assessment charges, payments and balances, and balance-sheet figures.
- Technical data — IP address and device/browser information. Some of this is required to build HMRC’s mandatory fraud-prevention headers when we call their APIs. We also use essential cookies.
3. How we use your data and our legal bases
- To provide the Service — performance of our contract with you.
- To meet HMRC’s mandatory fraud-prevention requirements — legal obligation and legitimate interests.
- For security and fraud prevention — legitimate interests.
- To communicate with you about your account — contract and legitimate interests.
- For billing, once paid plans are live — performance of our contract.
4. Read-only integrations
Fidora connects to Xero, HMRC and Companies House on a strictly read-only basis. We retrieve information to show you your position; we never write to, submit to, or change anything in those systems.
5. Who we share data with
We use trusted third-party processors to run the Service: Supabase (database and authentication), Vercel (application hosting), and a payment provider for billing once paid plans launch. We exchange data with HMRC, Xero and Companies House only to authenticate and retrieve information at your request. We do not sell your personal data.
6. How we protect your data
- OAuth tokens are encrypted at rest (AES-256-GCM).
- Row-Level Security ensures you can only ever access your own data.
- All traffic is encrypted in transit over HTTPS.
- Two-factor authentication protects account sign-in.
7. Data retention
We keep your data for as long as your account is active and as required to meet legal or regulatory obligations, after which we delete or anonymise it.
8. International transfers
Some processors may process data outside the UK. Where they do, we rely on appropriate safeguards (such as UK adequacy regulations or standard contractual clauses).
9. Your rights
Under UK data-protection law you have the right to access, correct, delete, restrict or object to the processing of your personal data, to data portability, and to withdraw consent. To exercise any of these, contact hello@fidora.co.uk. You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.
10. Cookies
We use essential cookies needed for sign-in, security and to keep you logged in. We do not use them for advertising.
11. Changes to this policy
We may update this policy from time to time; the “last updated” date above will change.
12. Contact
Questions? Email hello@fidora.co.uk.