Back to VATTY
Legal

Privacy Policy

Last updated: 14 May 2026

1. Introduction

This Privacy Policy explains how VATTY (“we”, “us”, “our”) collects, uses, and protects personal data when you use our platform.

We are committed to protecting personal data in accordance with:

  • UK GDPR
  • EU GDPR

2. Who We Are (Data Controller)

VATTY LTD is the data controller for account and platform usage data.

Legal entity: VATTY LTD
Company number: 17088818
Registered address: 37 Limes Road, Beckenham, England, BR3 6NS
Contact email: info@vatty.com

For certain services, we also act as a data processor on behalf of our customers.

3. Our Role: Controller vs Processor

We act as a Data Controller for:

  • Account registration details
  • User login and authentication data
  • Billing and subscription information
  • Platform usage analytics

We act as a Data Processor for:

  • Financial transaction data
  • Invoice and receipt data
  • VAT-related information
  • Supporting documents uploaded or processed through the platform

In these cases, our customers, such as accountancy firms or businesses using VATTY, are the data controllers.

4. Data We Collect

4.1 Account Data

  • Name
  • Email address
  • Firm name
  • Login credentials

4.2 Financial & Transaction Data

  • Invoice and receipt data
  • Supplier details
  • VAT numbers
  • Transaction values
  • Tax amounts
  • Dates and references

4.3 Documents

  • Uploaded invoices and receipts
  • Supporting VAT documentation
  • Evidence files generated within VATTY

4.4 System & Usage Data

  • IP address
  • Device/browser type
  • Access logs
  • Activity within the platform

4.5 AI-Generated Outputs

  • VAT classification results
  • Confidence scores
  • Validation flags
  • Evidence summaries

These outputs are generated based on input data and are used to support decision-making.

5. How We Collect Data

We collect data via:

  • Direct user input
  • Integrations such as Xero and similar systems
  • Automated processing of uploaded documents
  • Platform usage

6. How We Use Data

We process data to deliver the VATTY service, including:

  • Validating VAT compliance of invoices
  • Extracting and structuring financial data
  • Generating evidence bundles
  • Supporting accounting workflows

We also process data for:

  • Automation and classification
  • Security and integrity
  • Fraud prevention
  • System monitoring
  • Product improvement

7. Legal Basis for Processing

We rely on the following legal bases:

Contract

To provide VATTY services to customers.

Legitimate Interests

  • Improving product performance
  • Ensuring platform security
  • Preventing fraud

Legal Obligation

Compliance with applicable laws and regulatory requirements.

Where we act as a processor, processing is carried out on the documented instructions of the customer.

8. Data Sharing

We may share data with service providers such as:

  • Cloud hosting providers
  • Infrastructure and storage services
  • Analytics providers
  • Integration partners such as Xero
  • AI processing providers used to deliver extraction, classification, and validation functionality

Uploaded documents may be securely processed using third-party AI services for extraction, classification, and validation purposes.

No customer data is sold or used for advertising.

All processors are bound by GDPR-compliant agreements.

We may also share data with legal and regulatory authorities where required by law or to protect rights and safety.

9. International Data Transfers

Where data is transferred outside the UK or EEA, we ensure appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs)
  • Transfers to countries with adequacy decisions

10. Data Retention

We retain data only as long as necessary.

  • Account data: retained for the duration of the relationship and up to 6 years
  • Financial and transaction data: retained as determined by the customer controller
  • Logs and system data: retained for security and audit purposes

Backups may persist for a limited period after deletion for disaster recovery and security purposes.

11. Data Security

We implement appropriate technical and organisational measures, including:

  • Encryption in transit and at rest
  • Access controls and authentication
  • System monitoring and logging
  • Secure infrastructure

12. Your Rights

Under GDPR, individuals have the right to:

  • Access their data
  • Request correction
  • Request deletion
  • Restrict processing
  • Object to processing
  • Request data portability

To exercise rights, contact:

info@vatty.com

You also have the right to lodge a complaint with the Information Commissioner’s Office.

13. Automated Processing

VATTY uses automated systems to:

  • Analyse invoices
  • Validate VAT data
  • Generate confidence scores

These outputs:

  • Support decision-making
  • Do not constitute legally binding decisions
  • Can be reviewed by users

14. Subprocessors

We use third-party subprocessors to deliver our services.

All subprocessors:

  • Are subject to written agreements
  • Meet GDPR requirements
  • Process data only on our instructions

A list of subprocessors is available on request.

15. Cookies

We use:

  • Essential cookies required for platform functionality
  • Analytics cookies to improve performance

Where required, consent is obtained before non-essential cookies are used.

16. Data Breaches

In the event of a data breach, we:

  • Assess risk promptly
  • Notify affected customers where required
  • Report to relevant authorities where legally required

17. Changes to This Policy

We may update this Privacy Policy from time to time.

Updates will be posted on this page with a revised “Last updated” date.

18. Contact

For any privacy-related queries:

Email: info@vatty.com

Questions about this document? Contact us at legal@vatty.co.uk