Privacy Policy

Last updated: 23 April 2026

Draft v1. This document has been prepared as a working draft and has not yet been reviewed by a qualified solicitor. Items in highlighted monospace {{LIKE_THIS}} are placeholders to be completed before public launch.

1. Who we are

This privacy policy explains how Independent Check Ltd (“we”, “us”, “our”), the operator of the UltAI-Mate platform (the “Service”), collects, uses and protects your personal data. Independent Check Ltd is a company registered in England and Wales under company number {{COMPANY_NUMBER}}, with its registered office at {{REGISTERED_OFFICE_ADDRESS}}.

We are the “data controller” in respect of the personal data described in this policy, except where we act as a “data processor” on behalf of an adviser firm (see Section 3).

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR).

2. Summary

In plain English: we collect the minimum personal data needed to run the Service, we store it on servers in the European Union (Germany), we never sell it, and we only share it with the service providers listed in Section 7. You have strong rights over your data, set out in Section 10.

3. Controller and processor roles

UltAI-Mate is sold to FCA-authorised adviser firms, who then invite their clients onto the platform. Our role depends on whose data is being processed:

  • Adviser firm users (advisers and staff): we act as data controller for their account data.
  • End-client users (clients of adviser firms): the adviser firm is the data controller for the client’s personal and financial data. We act as data processor on behalf of the firm under a Data Processing Agreement (DPA). The firm decides what data is entered and why; we simply provide the platform.
  • Public website visitors: we act as data controller in respect of any information collected via our website (cookies, contact forms).

4. What personal data we collect

4.1 Account data

  • Full name, email address and role (adviser, staff, client)
  • Firm identifier and seat assignment (for adviser-firm users)
  • Hashed password and authentication session tokens
  • Preferences and in-app settings

4.2 Financial information (client users)

  • Budgets, savings goals and financial plans you create
  • Bank or credit-card statements you voluntarily upload for analysis
  • Receipts you scan through the app
  • Free-text notes entered into the AI chat or planner tools

We do not store full payment-card numbers. Where you upload statements, we process them to produce summaries and then retain the source document under the retention rules in Section 8.

4.3 Billing data (firms only)

Billing for firm subscriptions is handled by Stripe. We do not store card details; Stripe retains them under its own privacy policy. We store Stripe customer and subscription identifiers, plan name, and invoice history.

4.4 Technical data

  • IP address, browser type, device and operating system
  • Pages viewed, features used and approximate timings
  • Logs of authentication events and admin actions

4.5 AI interaction data

When you use the chat, statement analyser, receipt scanner or other AI features, we record the prompt sent, the response returned, model version and token counts. This lets us monitor cost and quality, and resolve support queries.

5. How we use your data and the lawful basis

Under UK GDPR we must have a “lawful basis” for every use of personal data. Ours are:

PurposeLawful basis
Provide the Service you signed up forPerformance of a contract
Process payments and send receipts (firms)Contract & legal obligation
Run AI features (chat, analysis, scanning)Contract; and, for sensitive content you choose to share, your consent
Security, fraud prevention, platform abuse detectionLegitimate interests
Send service emails (password resets, invoices, outages)Contract
Marketing emails about new featuresConsent (you can opt out at any time)
Keep accounting, tax and regulatory recordsLegal obligation
Improve the product at an aggregate levelLegitimate interests

6. AI processing and automated decision-making

UltAI-Mate uses large-language-model technology provided by Anthropic PBC. When you use an AI feature, the relevant content (prompt plus any document you attach) is sent over an encrypted connection to Anthropic for processing, then returned to the Service.

We have a data-processing contract with Anthropic under which Anthropic agrees not to use your content to train its models.

The AI does not make decisions that produce legal or similarly significant effects on you. Outputs are drafts and informational summaries only; a human (either you or your adviser) remains responsible for acting on them. UltAI-Mate does not provide regulated financial advice.

7. Who we share your data with

We do not sell personal data. We share it only with the following categories of recipient:

  • Your adviser firm (if you are a client user) — your firm can see the data you enter on the platform, as it is the controller for that data.
  • Sub-processors who help us run the Service, under written data-processing agreements:
    • Hetzner Online GmbH (Germany) — cloud infrastructure and backups.
    • Anthropic PBC (United States) — AI model inference for chat and analysis features.
    • Stripe Payments Europe Ltd (Ireland) — payments and subscription billing (firm customers only).
    • {{EMAIL_PROVIDER}} — transactional email delivery.
  • Professional advisers (lawyers, accountants, auditors) where we have a legal or legitimate need.
  • Regulators, courts and law-enforcement where we are required to by law.
  • A successor entity in the event of a merger, acquisition or sale of business assets (you will be notified in advance).

8. International transfers

Our primary data storage (Postgres, uploaded files, audit logs) is located in Germany, within the European Union. No transfer outside the UK or EEA is required for primary storage.

Some sub-processors are located outside the UK or EEA, in particular Anthropic (United States). Where this applies, we rely on one or more of the following safeguards:

  • the UK International Data Transfer Agreement (IDTA); or
  • the EU Standard Contractual Clauses with the UK Addendum; or
  • an applicable UK adequacy decision (e.g. the UK-US Data Bridge).

You can request a copy of the safeguard in place for any specific transfer by emailing {{PRIVACY_EMAIL}}.

9. How long we keep your data

  • Account data: for as long as your account is active, plus up to 90 days after closure to allow for reversal of accidental deletion.
  • Client financial data (held on behalf of firms): retained while the firm’s subscription is active and the firm has not issued a deletion instruction. On firm termination the data is deleted or returned per the DPA within 30 days.
  • AI chat and analysis logs: 12 months, unless you or your firm ask us to delete sooner.
  • Billing and invoice records: 6 years, to meet UK tax and accounting obligations (Companies Act 2006).
  • Audit and security logs: 12 months.
  • Marketing contacts: until you unsubscribe, then suppression list only.

10. Your rights

Under UK GDPR you have the right to:

  • be informed about how your data is used (this policy);
  • access a copy of the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased (“right to be forgotten”), subject to legal retention obligations;
  • restrict how we use your data;
  • receive your data in a portable, machine-readable format, or have it transferred to another provider;
  • object to processing based on legitimate interests or direct marketing;
  • withdraw any consent you have given, at any time, without affecting lawfulness of prior processing.

To exercise any of these rights, email {{PRIVACY_EMAIL}}. If you are a client of an adviser firm, please raise the request with your firm in the first instance, as the firm is your data controller.

We will respond within one month. There is no charge, unless your request is manifestly unfounded or excessive.

11. Security

We take appropriate technical and organisational measures to protect your personal data, including encryption in transit and at rest, row-level-security isolation between firms, strict access controls, and regular backups. Full details are in our Security overview.

12. Cookies

See our Cookie Policy for the list of cookies we set and how to manage them.

13. Children

The Service is not directed at children under 16. If you believe a child has provided us with personal data, please contact {{PRIVACY_EMAIL}} and we will delete it.

14. Complaints

If you are unhappy with how we have handled your personal data, please contact us first at {{PRIVACY_EMAIL}} so we can try to put it right. You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
ico.org.uk — 0303 123 1113

15. Changes to this policy

We may update this policy from time to time. When changes are material, we will notify you by email and in-app at least 14 days before they take effect. The “Last updated” date at the top of this page tells you when the current version was published.

16. Contact us

For anything to do with privacy or your personal data, contact:

Independent Check Ltd
{{REGISTERED_OFFICE_ADDRESS}}
Email: {{PRIVACY_EMAIL}}
Privacy Policy | UltAI-Mate