Legal

Privacy Policy

Last updated: March 2026

This Privacy Policy explains how ExpiryFlow (“we”, “us”, “our”) collects, uses, and protects your personal data when you use our service. We are committed to handling your data responsibly and in accordance with UK GDPR and the Data Protection Act 2018.

1. Who We Are

ExpiryFlow is a document expiry tracking service for UK contractors. For data protection purposes, ExpiryFlow is the data controller for personal data processed through the service. You can contact us at hello@expiryflow.co.uk.

2. Data We Collect

We collect and process the following categories of data:

• Account data: your name, email address, and company name when you register
• Subcontractor data: names, contact emails, and phone numbers you enter for your subcontractors
• Document data: document types, expiry dates, issue dates, notes, and uploaded files
• Usage data: login times, pages visited, and actions taken within the app (for security and product improvement)
• Billing data: payment information processed securely by Stripe — we do not store card details

3. How We Use Your Data

We use your data to:

• Provide and operate the ExpiryFlow service
• Send automated document expiry reminder emails to you and, where enabled, to your subcontractors
• Process payments and manage your subscription
• Respond to support requests
• Improve the product based on usage patterns
• Meet legal and regulatory obligations

4. Legal Basis for Processing

We process your data on the following legal bases under UK GDPR:

• Contract: to fulfil our service obligations to you
• Legitimate interests: to improve the service and prevent fraud
• Legal obligation: where required by law

5. Subcontractor Data

When you add subcontractor contact details and enable subcontractor email reminders, ExpiryFlow sends emails on your behalf to those addresses. You are responsible for ensuring you have an appropriate basis to share subcontractor contact details with us and to send them automated emails. We act as a data processor for this data on your instruction.

6. Data Storage and Security

Your data is stored on servers located within the United Kingdom and European Economic Area. We use Supabase for database and file storage, which maintains ISO 27001 certification and SOC 2 Type II compliance. All data is encrypted in transit (TLS) and at rest.

Access to production systems is restricted to authorised personnel only. We do not sell your data to third parties.

7. Third-Party Services

We use the following third-party services to operate ExpiryFlow:

• Supabase — database, authentication, and file storage
• Resend — transactional email delivery
• Stripe — payment processing
• Vercel — application hosting

Each of these providers has their own privacy policy and data protection commitments. We have data processing agreements in place where required.

8. Data Retention

We retain your data for as long as your account is active. If you cancel your account, we retain your data for 30 days to allow export, after which it is permanently deleted. Billing records may be retained for up to 7 years to meet legal requirements.

9. Your Rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data
• Restrict or object to processing
• Receive your data in a portable format
• Withdraw consent where processing is based on consent

To exercise any of these rights, email us at hello@expiryflow.co.uk. We will respond within 30 days.

10. Cookies

ExpiryFlow uses only essential cookies required for authentication and session management. We do not use advertising or tracking cookies. No cookie consent banner is required.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email or in-app notice before material changes take effect. The current version is always available at expiryflow.co.uk/privacy.

12. Complaints

If you have concerns about how we handle your data, please contact us first at hello@expiryflow.co.uk. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.