Back

Privacy Policy

Last updated: 12 May 2026

1. Data controller

The data controller for personal data processed through Quidbird is Neat Little Software Limited, a company registered in England & Wales. We are registered with the Information Commissioner's Office (ICO). For questions about this policy or to exercise your rights, contact privacy@bentolabs.co.uk.

2. Personal data we collect

We collect the minimum necessary to provide the service:

  • Account & identity data— name, email, hashed authentication credentials, and profile preferences. Sign-in is handled by Clerk on our behalf.
  • Company & financial records— Limited company details, transactions, categories, receipts, VAT workings, year-end packs. This data is your accounting record.
  • Open Banking data— if you connect a bank via TrueLayer, we receive read-only transaction and balance data under your explicit consent. We do not see card numbers or login credentials.
  • Payment data— subscription status, billing email, last 4 digits of card. Full card details are held by Stripe; we never see them.
  • AI usage telemetry— prompts you send to in-product AI features, AI outputs, latency, token counts. Used to debug and improve the product.
  • Device & technical data— IP address, browser type, OS, error reports. Used for security, fraud prevention and product compatibility.

3. Lawful basis for processing

Under UK GDPR Article 6, we rely on the following bases:

  • Performance of a contract— to provide the Quidbird service you have subscribed to, including hosting, authentication, AI categorisation, VAT computation, and year-end pack generation.
  • Legitimate interests— to improve product quality, secure our systems, detect fraud, and run AI inference on your data with sub-processors that have no-train commitments. We balance these against your rights and freedoms in a Legitimate Interests Assessment.
  • Legal obligation— to retain accounting records for at least 6 years per Companies Act 2006 and HMRC guidance.
  • Consent— for Open Banking connections (revocable in the app), and for any future marketing communications (not currently sent).

4. How we use your data

  • Provide and maintain the Quidbird service.
  • Authenticate sessions and enforce access controls.
  • Send transactional emails (welcome, invitations, VAT deadlines, monthly close digests, receipt scan results, password and security notices).
  • Process Customer Data through AI for proposed categorisation, receipt extraction, anomaly detection and insights — always with a human-in-the-loop approval step.
  • Monitor for fraud, abuse, and security incidents.
  • Improve the service based on aggregated, anonymised usage patterns.

We do not sell your personal data, do not run advertising, and do not share data with third parties for marketing.

5. Sub-processors

We use a small number of carefully selected sub-processors to operate the service. All are bound by data processing agreements and operate within the UK or EU where applicable.

  • Vercel — application hosting, edge cache, file storage (Blob). EU region.
  • Neon — managed Postgres database. EU region.
  • Clerk — user authentication, MFA, session management.
  • Stripe — payment processing and subscription billing.
  • Resend — transactional email delivery.
  • TrueLayer — FCA-regulated Open Banking provider for read-only bank feeds.
  • Vercel AI Gateway (routing to Google & Groq) — AI inference for in-product features. Contractual no-train commitments in place.
  • Sentry — error monitoring with PII scrubbing applied at SDK level.
  • Upstash — rate limiting and ephemeral cache.
  • Expo Push Service — relay for iOS push notifications. Receives an opaque device token and a notification trigger only.

An up-to-date list of sub-processors is available on request. We notify customers of material additions where required.

5a. Mobile app data flows

The Quidbird iOS app is a free stand-alone companion to the paid Quidbird web service. It uses the same data controller, sub-processors and retention rules as the web product. The mobile-specific data flows are:

  • Receipt OCR— receipt images you capture are uploaded over TLS to Vercel Blob (EU region) as private objects, then processed by Vercel AI Gateway routing to Groq and Anthropic models under contractual no-train commitments. Extracted fields (supplier, date, total, VAT) are written to your bookkeeping record in Neon Postgres (EU region).
  • Authentication— handled by Clerk. The app exchanges a Clerk session for a short-lived mobile JWT, stored in the iOS keychain via expo-secure-store.
  • Push notifications— delivered via the Expo Push Service (which forwards to Apple Push Notification service). Only an opaque device token and a notification trigger reach Expo. The notification payload contains a short title and a receipt ID — no financial figures, no supplier names, no image content.
  • Crash & error reporting Sentry with PII scrubbing applied at SDK level. No request bodies, no receipt images, no extracted text are sent to Sentry.
  • On-device storage— a local SQLite mutation queue holds pending uploads when offline. Entries are drained and deleted as soon as the network returns and the server confirms receipt. Captured images are deleted from the device cache after successful upload.

Permissions.The app asks for camera access the first time you scan a receipt, and for notification permission immediately after your first successful scan — not at launch. Both can be revoked at any time in iOS Settings.

Retention & deletion. Mobile-captured receipts follow the same retention schedule as web-uploaded receipts (at least 6 years from the end of the relevant financial year, per Companies Act 2006 and HMRC). To delete your account from the mobile app, open Settings → Delete account. This issues an authenticated DELETE to /api/mobile/accountwhich detaches your profile from any companies you own, revokes mobile JWT and push tokens, and removes identity data within 30 days subject to the legal retention obligation above. You can also delete from the web app at Settings → Account.

6. International transfers

Personal data is primarily stored and processed in the United Kingdom and European Economic Area. Where a sub-processor relies on transfers outside the UK/EEA, we rely on adequacy decisions or Standard Contractual Clauses with additional safeguards as appropriate.

7. Data retention

We retain personal data only for as long as necessary for the purposes set out above:

  • Accounting records— at least 6 years from the end of the relevant financial year, plus a 1-year audit buffer, per Companies Act 2006 and HMRC guidance.
  • Account & identity data— while your account is active and for 30 days after closure to allow recovery and export.
  • Security & audit logs— up to 24 months, longer where required by law.
  • Marketing communication preferences— until you withdraw consent or close your account.

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure, subject to our HMRC retention obligation. We will mark accounting records as anonymised where possible, and delete fully at the end of the Retention Period.
  • Portability — export your data in CSV, PDF or JSON.
  • Restriction or objection to certain processing based on legitimate interest.
  • Withdraw consent at any time where processing is based on consent.

To exercise any of these, email privacy@bentolabs.co.uk. We respond within one month and will explain if we cannot fulfil a request and why.

9. Cookies

We use only strictly-necessary cookies for authentication, session management and security. We do not use advertising or third-party tracking cookies. As a result, no cookie banner is required under PECR.

10. Security

Security is a first-class concern. Measures include:

  • TLS 1.2+ encryption in transit for all traffic.
  • Encryption at rest for the database, file storage and backups.
  • Multi-factor authentication available on every account via Clerk.
  • Row-level multi-tenant isolation enforced in the application layer.
  • Hash-chained audit trail for accounting records (tamper-evident).
  • Least-privilege access controls for staff; access logged and reviewed.
  • Sentry error monitoring with PII scrubbing rules applied at SDK level.

No system is invulnerable. If you believe you have found a security issue, please report it responsibly to security@bentolabs.co.uk — we aim to acknowledge within 5 working days.

11. Breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours where required by Article 33 UK GDPR, and we will notify affected customers without undue delay where required by Article 34.

12. Children

Quidbird is not directed to children. The service is intended for adults acting for or on behalf of UK Limited companies. We do not knowingly process personal data of children under 13.

13. Data protection contact

We have not appointed a statutory Data Protection Officer (we do not meet the criteria under Article 37 UK GDPR). The point of contact for all data protection matters is privacy@bentolabs.co.uk.

If you are unhappy with how we have handled your data, you can complain to the Information Commissioner's Office at ico.org.uk. We'd appreciate the chance to address your concerns first.

14. Changes to this policy

We will update this policy from time to time. Material changes will be notified by email or in-product. The “Last updated” date at the top of this page reflects the most recent revision.