S
ScaleWithCFO

Privacy Policy

Last updated: 15 April 2026

1. Data Controller

ScaleWithCFO Ltd ("we", "us", "our") is the data controller for personal data processed through the ScaleWithCFO platform.

Company: ScaleWithCFO Ltd
Registered in: England and Wales
Company number: 14883291
VAT number: GB457260289
Registered office: 87 Chandos Road, London, England, E15 1TT
ICO registration: CSN3095542 (pending formal confirmation)
Data Protection Officer: Not appointed — we are not required to appoint a DPO under UK GDPR Article 37. Data protection enquiries are handled directly by the company.

For any data protection enquiry, contact us at privacy@scalewithcfo.com. We respond within 30 days.

2. Data We Collect

  • Account data: Name, email address, and hashed password (or SSO identity via Google/Microsoft).
  • Financial data:Data you import from Xero or upload manually (P&L, Balance Sheet, Cash Flow, contracts, employees). This data belongs to your organisation.
  • Usage data: IP address, browser type, pages visited, and timestamps for security and service improvement.
  • Cookies: Essential authentication cookies only. No third-party tracking cookies. See Section 9.

3. Legal Basis for Processing

  • Contract performance (UK GDPR Art 6(1)(b)): Processing your account and financial data to provide the forecasting service you signed up for.
  • Legitimate interest (Art 6(1)(f)): Security logging, fraud prevention, and service improvement.
  • Consent (Art 6(1)(a)): Marketing communications and optional analytics cookies (only with your explicit consent).

4. How We Use Your Data

  • To provide and maintain the ScaleWithCFO platform
  • To authenticate your identity and manage your account
  • To process financial data for forecasting and reporting
  • To communicate service updates and security notices
  • To detect and prevent fraud or misuse

5. Sub-processors

We use the following third-party processors:

  • Supabase(database & authentication) — EU region (London, eu-west-2). Supabase Inc, with Data Processing Agreement in place. See supabase.com/legal/dpa.
  • Vercel (hosting) — London edge region (lhr1). Vercel Inc, with DPA in place.
  • Resend (transactional email delivery) — EU region (Ireland, eu-west-1). Resend Inc, used to deliver account verification, password reset, and approval notification emails. Data sent: your email address, name, and the relevant authentication link. No marketing content.
  • Xero (accounting integration) — Connected only when you explicitly authorise via OAuth. Xero Ltd processes data under their own privacy policy.

We maintain a current list of sub-processors and will notify you of material changes with reasonable notice.

6. International Data Transfers

Your data is primarily stored in the EU/UK (Supabase EU region, Vercel London). Where data is processed outside the UK, we rely on Standard Contractual Clauses (SCCs) or UK adequacy decisions to ensure equivalent protection.

7. Data Retention

  • Account data: Retained for the duration of your account plus 30 days after deletion.
  • Financial data: Retained for the duration of your account. Deleted within 30 days of account deletion.
  • Audit logs: Retained for 2 years for security purposes.
  • Consent records: Retained for 3 years to demonstrate GDPR compliance.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access — Request a copy of all personal data we hold about you (Subject Access Request).
  • Rectification — Correct inaccurate personal data.
  • Erasure— Request deletion of your data ("right to be forgotten").
  • Portability — Receive your data in a structured, machine-readable format.
  • Restriction — Restrict processing in certain circumstances.
  • Object — Object to processing based on legitimate interest.
  • Withdraw consent — Withdraw consent at any time (where processing is based on consent).

Exercise these rights via Settings > Your Data in the app, or email privacy@scalewithcfo.com. We respond within 30 days.

9. Cookies

We use essential cookies only for authentication session management. These are strictly necessary for the service to function and do not require consent. We do not use advertising or third-party tracking cookies. If we introduce optional analytics cookies in the future, we will request your explicit consent first.

10. Security

We implement appropriate technical measures including: encryption in transit (TLS), encryption at rest (Supabase), Row-Level Security (tenant data isolation), hashed passwords, and regular security reviews.

11. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or an in-app notification.

Back to sign in