GDPR Compliant

GDPR Privacy Policy

How SFI Solution collects, uses, and protects your personal data in accordance with GDPR and UK GDPR.

Last updated: 25 February 2026

1. Overview

SFI Solution is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and UK GDPR. This policy explains how we collect, use, store, and protect your personal data when you use our platform at sfisolution.com.

2. Data Controller

SFI Solution acts as the Data Controller for personal data collected through our website and platform. For data processed on behalf of our business clients (e.g. financial transaction data), we act as a Data Processor under their instructions.

If you have any questions about how we handle your data, please contact us at: privacy@sfisolution.com

3. Data We Collect

Account Information: Name, email address, company name, and password (hashed) when you register.

Billing Information: Payment card details processed securely by Stripe. We do not store full card numbers.

Financial Data: Bank statements, transaction records, and ledger data you upload or connect via integrations. This is processed solely to deliver reconciliation services.

Integration Credentials: OAuth tokens for connected services (Xero, QuickBooks, Plaid, etc.), stored encrypted.

Usage Data: Log data, IP addresses, browser type, pages visited, and feature usage for security and performance monitoring.

Communications: Emails and messages you send to our support or sales team.

4. Legal Basis for Processing

Contract Performance: Processing necessary to provide the reconciliation services you subscribed to (Article 6(1)(b)).

Legitimate Interests: Security monitoring, fraud prevention, service improvement, and analytics (Article 6(1)(f)).

Legal Obligation: Compliance with financial regulations and tax record-keeping requirements (Article 6(1)(c)).

Consent: Marketing emails and non-essential cookies, where you have given explicit consent (Article 6(1)(a)). You may withdraw consent at any time.

5. How We Use Your Data

Service Delivery: To process reconciliations, match transactions, and generate reports on your behalf.

Account Management: To manage your subscription, send invoices, and provide customer support.

Security: To detect and prevent fraud, unauthorised access, and abuse of our platform.

Communication: To send service notifications, security alerts, and (with consent) product updates.

Legal Compliance: To meet our obligations under applicable laws and respond to lawful requests.

6. Third-Party Data Processors

We share data only with trusted processors necessary to deliver our service. All processors are contractually bound to GDPR-compliant data protection standards.

Processor	Purpose	Location
Stripe	Payment processing and subscription management	USA (SCCs applied)
Plaid	Bank account connection and transaction retrieval	USA (SCCs applied)
Xero / QuickBooks	Ledger data access via OAuth (user-authorised)	USA / New Zealand
Amazon Web Services (AWS)	Cloud hosting and data storage (EC2, RDS)	EU region (eu-west-1)
Gmail / Google SMTP	Transactional email delivery	USA (SCCs applied)

7. Data Retention

Account Data: Retained for the duration of your subscription plus 2 years after account closure for legal compliance.

Financial Transaction Data: Retained for 7 years to meet standard accounting and tax record requirements.

Integration Tokens: Deleted immediately upon disconnection of the integration.

Usage Logs: Retained for 90 days for security monitoring and debugging.

Marketing Data: Retained until you withdraw consent or unsubscribe.

8. Your Rights Under GDPR

Right of Access

Request a copy of all personal data we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.

Right to Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

Right to Restrict Processing

Request that we limit how we use your data in certain circumstances.

Right to Withdraw Consent

Withdraw consent for consent-based processing at any time, without affecting prior processing.

Right to Lodge a Complaint

File a complaint with your supervisory authority — in the UK this is the ICO (ico.org.uk).

9. International Data Transfers

Some of our third-party processors operate outside the UK/EEA (primarily in the USA). Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission, and we verify that recipient countries provide an adequate level of data protection.

10. Security Measures

Encryption: All data in transit is protected by TLS 1.2+. Sensitive credentials are encrypted at rest using AES-256.

Access Control: Role-based access controls ensure employees only access data necessary for their role.

Infrastructure: Hosted on AWS with security groups, private subnets, and automated backup policies.

Incident Response: We have a documented data breach response procedure. If a breach affects your rights, we will notify you within 72 hours as required by GDPR Article 33.

11. Cookies

We use essential cookies required for the platform to function (authentication sessions). We do not use third-party advertising or tracking cookies. Where non-essential cookies are used, we will request your consent. You can manage cookie preferences through your browser settings.

12. Contact & Data Requests

To exercise any of your rights, or if you have questions about this policy, please contact us:

Email: privacy@sfisolution.com Website: sfisolution.com/contact

We will respond to all legitimate requests within 30 days. For complex requests, we may extend this by a further two months and will inform you accordingly.

Exercise Your Rights

Submit a data access, rectification, or erasure request and we'll respond within 30 days.

Submit Data Request