rxolve

Privacy Policy

Last updated: May 2026

This Privacy Policy explains how Rxolve Ltd(“Rxolve”, “we”, “us”) collects, uses, and protects personal data when you use our platform at www.rxolve.co (the “Service”). It applies to all customers, users, and visitors. We process personal data in accordance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”).

1. Who we are (data controller)

The data controller is Rxolve Ltd, registered in England and Wales (company number TBC; registered address TBC). Our nominated contact for data protection matters is reachable at privacy@rxolve.co.

2. Data we collect

We collect the following categories of personal data:

  • Account data. Name, email address, company name, business address, and payment details (processed by Stripe; we do not store full card numbers).
  • OAuth tokens and connection credentials. When you connect an accounting platform or bank, we store encrypted OAuth tokens or API keys required to read data on your behalf.
  • Financial data. Invoice data, payment data, bank transaction data, and similar financial records retrieved from your connected platforms. This data belongs to your business; we process it solely to provide the Service.
  • Usage data. Pages visited, features used, browser type, IP address, and timestamps — collected via server logs and Plausible Analytics (cookieless; see our Cookie Policy).
  • Communications. Messages you send to us via the contact form or email, and any feedback you provide.
  • Account settings. Tone-of-voice preferences, approval thresholds, and other configuration data you enter in the Service.

3. Lawful bases for processing

We rely on the following lawful bases under UK GDPR Article 6:

  • Performance of a contract — processing your account data, financial data, and OAuth tokens is necessary to provide the Service you have subscribed to.
  • Legitimate interests — processing usage data for security monitoring, fraud prevention, and service improvement, where our interests are not overridden by your rights.
  • Consent— where you have opted in to cross-customer pattern learning (see below). You may withdraw this consent at any time in your Billing & plan settings.
  • Legal obligation — where we are required to process data to comply with applicable law, including tax, accounting, and anti-money-laundering obligations.

Cross-customer pattern learning. With your explicit consent, anonymised signals from your data may be used to improve pattern-detection models that benefit all customers. This is optional and toggled off by default. No raw financial data or identifiable information is shared with other customers.

4. How we use your data

  • To provide, maintain, and improve the Service;
  • To generate AI-powered recommendations, drafted communications, and reports;
  • To send transactional emails (account confirmation, billing receipts, security alerts);
  • To respond to your support and contact requests;
  • To detect and prevent fraud, abuse, and unauthorised access;
  • To comply with legal and regulatory obligations.

We do not sell your personal data. We do not use your data to train our AI models without your explicit consent.

5. Sub-processors

We use the following sub-processors to deliver the Service. Each is bound by a data processing agreement and appropriate safeguards:

  • Anthropic— AI processing. Financial data and context are passed to Anthropic’s API to generate recommendations and narrative output. Anthropic does not use API inputs to train its models. Anthropic, Inc. is based in the United States (see Section 7).
  • Supabase — database and authentication (hosted on AWS EU-West-1). Your account data, financial data, and OAuth tokens are stored here, encrypted at rest.
  • Vercel — application hosting and serverless functions (hosted on AWS). EU region configured for production.
  • Stripe — payment processing. Stripe is a PCI DSS Level 1 certified processor. We pass only the minimum required data.
  • Plausible Analytics — cookieless, privacy-first web analytics. No personal data or IP addresses are stored; no cookies are set. Used on public marketing pages only.

6. Retention

We retain your account data and financial data for as long as your account is active. On account closure, we make your data available for export for 30 days, then delete it from live systems within 90 days. Some data may be retained for longer in anonymised form for aggregate analysis, or where required by law (for example, invoicing records for seven years under HMRC rules).

7. International transfers

Your data is processed primarily within the UK and European Economic Area. Where data is transferred to the United States (notably to Anthropic and Stripe), those transfers are protected by Standard Contractual Clauses approved under UK GDPR Article 46, supplemented by a transfer impact assessment confirming adequate protection.

8. Your rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you;
  • Rectification — ask us to correct inaccurate data;
  • Erasure — request deletion of your personal data, subject to legal retention obligations;
  • Restriction — request that we limit processing in certain circumstances;
  • Portability — receive your data in a structured, machine-readable format;
  • Object — object to processing based on legitimate interests;
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any right, contact us at privacy@rxolve.co. We will respond within one calendar month. Identity verification may be required.

9. Security

We implement technical and organisational measures appropriate to the risk, including encryption of data at rest (AES-256) and in transit (TLS 1.3), access controls limiting data access to authorised personnel, and regular security reviews. No system is entirely secure; if you believe your account has been compromised, contact us immediately.

10. Children

The Service is intended for business use by individuals aged 18 or over. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or prominent notice in the Service at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact and complaints

For any data protection questions or to exercise your rights, contact us at privacy@rxolve.co or by post to Rxolve Ltd, [registered address TBC].

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113. We encourage you to contact us first so we can try to resolve your concern directly.