Privacy Policy

1. Who We Are

AutoFact AI is operated by AutoFact Solutions Ltd, registered in England and Wales. We are the data controller for personal data collected through our website and platform. Contact: privacy@autofact-solutions.com.

2. Data We Collect

We collect only the data necessary to provide the AutoFact AI service:

• Account Data: Name, email address, company name, and billing details provided during registration.
• Invoice Data: Invoice files, extracted fields (supplier, amount, date, VAT number), and processing history uploaded or ingested by you.
• Usage Data: Platform activity logs, feature usage, and session metadata used to improve the service.
• Communications: Support emails and messages you send us.

3. Legal Basis for Processing

We process your personal data under the following lawful bases (GDPR Article 6):

• Contract performance: Processing required to deliver the AutoFact AI service you subscribed to.
• Legitimate interests: Security monitoring, fraud prevention, product improvement, and analytics.
• Legal obligation: Compliance with applicable laws and regulatory requirements.
• Consent: Marketing communications (where you have opted in).

4. How We Use Your Data

• To provide, maintain, and improve the AutoFact AI platform
• To process invoices and generate audit trails on your behalf
• To send transactional emails (invoice processing confirmations, billing receipts)
• To respond to support requests
• To comply with legal obligations (tax, anti-money laundering, etc.)
• To detect and prevent fraud, abuse, and security incidents

5. Data Sharing

We do not sell your personal data. We share data only with:

• Infrastructure providers: Cloud hosting (AWS/Vercel) under data processing agreements.
• Payment processor: Stripe, for billing and subscription management.
• Authentication provider: Auth.js / Supabase for secure login.
• Legal requirements: When required by law, court order, or regulatory authority.

6. Data Retention

We retain account data for the duration of your subscription plus 30 days after closure for data recovery purposes. Invoice records and audit trails are retained for five years on Starter and Business plans, with longer retention options on Enterprise plans, to support tax authority requirements. You may request earlier deletion subject to legal retention obligations.

7. Your Rights (GDPR)

Under GDPR and UK GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erase your data (right to be forgotten) where legally permissible
• Restrict processing in certain circumstances
• Data portability — receive your data in a machine-readable format
• Object to processing based on legitimate interests
• Withdraw consent at any time (where processing is consent-based)

To exercise these rights, contact privacy@autofact-solutions.com. We will respond within 30 days.

8. Data Security

We implement technical and organizational measures to protect your data: encryption in transit (TLS 1.3) and at rest (AES-256), access controls, audit logging, and regular security reviews. No data transmission over the internet is 100% secure; however, we take commercially reasonable steps to protect your information.

9. International Transfers

Our infrastructure is primarily hosted in the EU and UK. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).

10. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with your national data protection authority. In the UK, this is the Information Commissioner's Office (ICO). In the EU, contact your local supervisory authority.

11. Changes to This Policy

Material changes to this policy will be communicated via email or platform notification at least 14 days before taking effect. Continued use of the platform after the effective date constitutes acceptance.