Privacy Policy

When you register, subscribe, or contact us, you provide:

• Your name and email address
• Your company or business name
• Subscription and billing details (processed by our payment provider; we do not store card numbers)

When you connect FreeReconcile to your email and FreeAgent account, we access:

• From your email: sender name, subject line, date, and PDF attachments only. We do not read or store email body content.
• From FreeAgent: bank account names (not account numbers or sort codes), unexplained bank transaction descriptions, amounts, and dates.

We import the minimum data necessary to operate the service. For example, we store your FreeAgent bank account name but never the account number or sort code.

When we process a receipt or invoice PDF, we extract:

• Vendor name, invoice number, date
• Line items, amounts, VAT amounts
• Currency and payment terms

PDFs are sent to OpenAI for structured data extraction. We strip identifiable sensitive fields (credit card numbers, bank details) before transmission. OpenAI processes data under their API data usage policy and does not use API inputs for training.

We automatically collect:

• IP address, browser type, and operating system
• Pages visited and features used
• Error logs for debugging

• Scanning your connected email accounts for PDF receipts and invoices
• Extracting structured data from PDFs
• Matching receipts to bank transactions in your FreeAgent account
• Suggesting VAT categories (standard rate, reverse charge, exempt, zero-rated)
• Applying matched explanations to FreeAgent when you approve them

• Authenticating you and managing your session
• Processing subscription payments
• Sending transactional emails (confirmations, receipts, password resets)
• Responding to support requests

• Analysing feature usage patterns (in aggregate, not individually identifiable)
• Debugging technical issues using error logs
• Improving matching accuracy

All data transmitted between your browser and FreeReconcile, and between FreeReconcile and third-party services (FreeAgent, email providers, OpenAI), is sent over encrypted HTTPS connections.

• Database and authentication: Supabase (EU data centre)
• Application hosting: Vercel (edge network)
• PDF processing: temporary storage, deleted within 7 days

Access to production systems and customer data is restricted to authorised personnel only. API keys are stored as environment variables and are not committed to source code or logged.

You are responsible for keeping your login credentials confidential. Do not share your password with anyone. Notify us immediately if you suspect unauthorised access to your account.

We use strictly necessary cookies for authentication and session management only:

We use Plausible Analytics, a privacy-friendly, cookie-free analytics tool. Plausible does not use cookies, does not collect personal data, and does not track users across sites. All data is aggregated and no individual visitor can be identified. Plausible is compliant with GDPR, PECR, and CCPA without requiring cookie consent.

We do not use advertising cookies, third-party tracking, Google Analytics, Meta Pixel, or similar services.

Since we only use strictly necessary cookies (as defined by the ICO) and cookie-free analytics, explicit cookie consent is not required under the Privacy and Electronic Communications Regulations 2003 (PECR). You can disable cookies in your browser settings, but authentication features will not work.

For more information about cookies, visit the ICO's guidance on cookies. For details on how Plausible handles data, see their data policy.