Draft — pending legal review
Privacy Policy
Last updated: 16 February 2026
1. Who we are
Cuppa is operated by [Your Name / Company Name], registered at [Address]. We are the data controller for your personal data processed through Cuppa.
Contact us about data protection matters at: privacy@cuppa.app
2. What data we collect
Account information
- Name, email address
- Password (stored as a one-way hash — we cannot read it)
- Date you accepted our Terms of Service
Business and financial records
- Business name, address, start date
- Income and expense entries (dates, amounts, categories, notes)
- Client names and contact details
- Invoice details and bank account information (for invoicing)
- Vehicle and home office configuration
- Uploaded documents (receipts, invoices)
HMRC integration data
- HMRC National Insurance number and Unique Taxpayer Reference
- OAuth tokens for HMRC API access (encrypted at rest)
- Submission payloads and HMRC receipt identifiers
Technical data
- IP address and user agent (for session security and audit logging)
- Device information (for HMRC fraud prevention headers, as required by law)
- Session activity timestamps
3. Why we process your data (legal basis)
| Purpose | Legal basis |
|---|---|
| Providing the Cuppa service | Contract performance |
| Submitting data to HMRC on your behalf | Contract performance + legal obligation |
| HMRC fraud prevention headers | Legal obligation (HMRC requirement) |
| Session security and audit logging | Legitimate interest (security) |
| Storing financial records | Legal obligation (HMRC 5-year retention) |
4. How long we keep your data
- Financial records and submissions: 5 years from the end of the relevant tax year, as required by HMRC
- Account information: retained while your account is active, deleted within 30 days of account deletion
- Audit logs: retained for 2 years for security purposes
- HMRC tokens: deleted immediately when you disconnect your HMRC account
5. Who we share your data with
We only share your data with third parties that are necessary to provide the service:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, file storage | EU (Frankfurt) |
| Vercel | Application hosting | EU / US |
| OAuth sign-in (if you choose Google login) | US (adequate safeguards) | |
| HMRC | Tax submissions (at your instruction) | UK |
We do not sell your data. We do not use your data for advertising. We do not share your data with any other third parties.
6. Your rights
Under UK GDPR, you have the right to:
- Access your personal data — you can export all your data from Settings at any time
- Rectify inaccurate data — you can edit your records directly in Cuppa
- Delete your data — you can delete your account from Settings (subject to HMRC retention requirements)
- Port your data — use the CSV export feature in Settings
- Object to processing based on legitimate interest
- Restrict processing in certain circumstances
To exercise any of these rights, email privacy@cuppa.app. We will respond within 30 days.
7. Cookies
Cuppa uses only essential cookies required for the service to function. We do not use any third-party tracking or analytics cookies. For full details, see our Cookie Policy.
8. Data security
We protect your data with:
- Encryption in transit (TLS) and at rest
- Field-level encryption for sensitive data (bank details, HMRC tokens)
- Password hashing with bcrypt (12 rounds)
- Rate limiting on authentication endpoints
- Session management with device tracking
- Audit logging of security-relevant actions
9. Complaints
If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
10. Changes to this policy
We may update this policy from time to time. If we make significant changes, we will notify you by email or through the application. The "last updated" date at the top of this page will always reflect the most recent version.