Data Processing Agreement

The Processor processes personal data on behalf of the Controller solely to provide the FreeReconcile service as described in the Agreement. The Processor acts only on the Controller's documented instructions and does not process personal data for its own purposes.

The personal data processed may relate to:

• The Controller (the FreeReconcile account holder)
• Employees and contractors of the Controller who use FreeReconcile
• Suppliers and customers of the Controller, to the extent identifiable in invoices, receipts, or email metadata

The personal data processed includes:

• Account details: name, email address, company name
• Email metadata: sender, subject, date (no email body content)
• PDF attachment contents: vendor names, amounts, dates, invoice numbers
• FreeAgent data: bank account names, transaction descriptions, amounts, dates
• FreeAgent OAuth tokens
• Technical data: IP addresses, browser information, error logs

No special categories of data (as defined in UK GDPR Article 9) are intentionally processed. The Controller should not include sensitive personal data in documents uploaded to or processed by FreeReconcile.

The personal data is processed for:

• Scanning email accounts for PDF invoices and receipts
• Extracting structured data from PDFs via OpenAI API
• Matching extracted data to FreeAgent bank transactions
• Suggesting and applying accounting categories and VAT treatment
• User authentication and session management
• Sending transactional emails (confirmations, notifications)
• Technical support and error diagnosis

The Processor shall:

• Process personal data only on documented instructions from the Controller
• Ensure persons authorised to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures
• Not engage sub-processors without the Controller’s prior consent (see section 7)
• Assist the Controller in responding to data subject rights requests
• Delete or return all personal data upon termination of the Agreement, unless retention is required by law
• Make available information necessary to demonstrate compliance and allow for audits

The Controller authorises the Processor to engage the following sub-processors:

The Processor will notify the Controller before adding or replacing a sub-processor. The Controller may object within 30 days. If the objection cannot be resolved, the Controller may terminate the Agreement.

The Processor implements the following technical and organisational measures:

Data in transit

• All data transmitted over encrypted HTTPS connections
• Connections to third-party APIs (FreeAgent, OpenAI, email providers) use TLS

Access control

• Production access restricted to authorised personnel
• API keys stored as environment variables, not in source code

Infrastructure

• Hosted on Supabase (EU) and Vercel
• Separate development and production environments

Data handling

• Personal data deleted when no longer needed
• Audit trail of FreeAgent operations available to Controller

Where personal data is transferred outside the UK or EEA (for example, to OpenAI or Resend in the US), the Processor ensures adequate protection through the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs).

In the event of a personal data breach, the Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address it.

This DPA remains in effect for the duration of the Agreement. Upon termination, the Processor will delete all personal data within 90 days unless retention is required by law. The Controller may request a copy of their data in a machine-readable format before deletion.

Questions about this DPA should be addressed to: