ExpiryFlow

Legal

Privacy Policy

Last updated: June 2026

This Privacy Policy explains how ExpiryFlow (“we”, “us”, “our”) collects, uses, and protects your personal data when you use our service. We are committed to handling your data responsibly and in accordance with UK GDPR and the Data Protection Act 2018.

1. Who We Are

ExpiryFlow is a document expiry tracking service for UK contractors. For data protection purposes, ExpiryFlow Ltd (company number 17228075, registered in England and Wales) is the data controller for personal data processed through the service. We are registered with the Information Commissioner's Office under reference ZC166370. You can contact us at hello@expiryflow.co.uk.

2. Data We Collect

We collect and process the following categories of data:

3. How We Use Your Data

We use your data to:

4. Legal Basis for Processing

We process your data on the following legal bases under UK GDPR:

5. Subcontractor Data

When you add subcontractor contact details and enable subcontractor email reminders, ExpiryFlow sends emails on your behalf to those addresses. You are responsible for ensuring you have an appropriate basis to share subcontractor contact details with us and to send them automated emails. We act as a data processor for this data on your instruction.

6. Data Storage and Security

Your data is stored on servers located within the European Economic Area. We use Supabase for database and file storage, which maintains ISO 27001 certification and SOC 2 Type II compliance. All data is encrypted in transit (TLS) and at rest.

Access to production systems is restricted to authorised personnel only. We do not sell your data to third parties.

7. Third-Party Services

We use the following third-party services to operate ExpiryFlow:

Each of these providers has their own privacy policy and data protection commitments. We have data processing agreements in place where required.

8. Data Retention

We retain your data for as long as your account is active. If you cancel your account, we retain your data for 30 days to allow export, after which it is permanently deleted. Billing records may be retained for up to 7 years to meet legal requirements.

9. Your Rights

Under UK GDPR you have the right to:

To exercise any of these rights, email us at hello@expiryflow.co.uk. We will respond within 30 days.

10. Cookies

Necessary cookies

We set a session cookie when you log in. It is required for the service to work and is not used for analytics.

Analytics

We use PostHog to understand how the product is used. By default, we collect limited anonymous session data — no cookie is stored and no identifier persists across sessions. Client IP addresses are discarded at ingestion.

If you accept all cookies, we enable persistent analytics, user-level tracking, and session recordings linked to your account. You can withdraw consent at any time by clearing your browser storage or emailing hello@expiryflow.co.uk. Analytics data is stored on PostHog's EU servers and is not used for advertising.

We consider the default anonymous collection to fall within our legitimate interest in improving the service, and keep this under review.

No advertising or third-party tracking cookies are used.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email or in-app notice before material changes take effect. The current version is always available at expiryflow.co.uk/privacy.

12. Complaints

If you have concerns about how we handle your data, please contact us first at hello@expiryflow.co.uk. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk. Our ICO registration reference is ZC166370.