1. Introduction and Scope
FreelanceVault ("we," "us," "our") is a financial management platform designed for freelancers. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our website at freelancevault.app and our application (together, the "Service").
This policy applies to all users worldwide. Where specific regulations apply to users in the European Economic Area (EEA), the United Kingdom (UK), or the United States (US), we have included dedicated sections that set out your additional rights and our additional obligations under those laws. This includes the EU General Data Protection Regulation (GDPR), UK GDPR and Data Protection Act 2018, EU Data Act (Regulation (EU) 2023/2854), EU AI Act (Regulation (EU) 2024/1689), and US state privacy laws including the California Consumer Privacy Act (CCPA/CPRA).
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, you should not use the Service.
2. Data Controller and Contact Information
For the purposes of applicable data protection legislation (including the EU General Data Protection Regulation 2016/679 ("EU GDPR"), the UK General Data Protection Regulation as retained under the UK Data Protection Act 2018 ("UK GDPR"), the EU Data Act (Regulation (EU) 2023/2854), the EU AI Act (Regulation (EU) 2024/1689), and the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA")), FreelanceVault is the data controller responsible for your personal data.
If you have any questions about this Privacy Policy or our data practices, you can contact us at:
- Email: privacy@freelancevault.app
- General support: support@freelancevault.app
3. Categories of Personal Data We Collect
We collect and process the following categories of personal data:
3.1 Account and Identity Data
- Full name
- Email address
- Password (stored as a cryptographic hash — we never store your password in plain text)
- Google account identifier and profile information (if you choose to sign in with Google)
- Business name and business address
- VAT or tax identification number (if provided)
- Business logo (if uploaded)
- Region/country setting (UK or US)
3.2 Financial Data
- Income figures, monthly burn rate, guaranteed and risky income amounts, tax rates, and tax set-aside amounts that you manually enter
- Invoice details: client names, amounts, descriptions, due dates, payment status
- Expense records: descriptions, amounts, categories, dates, receipt images
- Project details: project names, client names, budgets, payment schedules
- Bank balance snapshots and financial baseline calculations
- Payment details (e.g., bank account or sort code for invoices — entered by you, displayed on your invoices)
3.3 Bank Connection Data (Optional Feature)
- Institution name and connection status from your connected bank account(s)
- Account balances and transaction data imported via TrueLayer (UK) — read-only access
- OAuth access tokens and refresh tokens provided by TrueLayer for maintaining the connection
- We do not receive, store, or have access to your bank login credentials. Authentication happens directly between you and your bank via the TrueLayer secure interface.
3.4 Technical and Usage Data
- IP address, browser type and version, operating system, device type
- Pages visited, features used, timestamps of access
- Referring URL (the website you came from before visiting us)
- Session cookies and authentication tokens necessary for the Service to function
3.5 Communication Data
- Emails sent through the Service (e.g., invoices emailed to your clients)
- Support correspondence if you contact us
- Newsletter sign-up email address (if you sign up for the newsletter before creating an account)
4. How We Collect Your Data
We collect personal data through:
- Direct input: Information you provide when creating an account, entering financial figures, creating invoices, recording expenses, or contacting us.
- Automated collection: Technical data collected automatically when you use the Service (see Section 3.4 above and our Cookie Policy).
- Third-party services: Data received from Google (if you sign in with Google), or TrueLayer (if you connect your bank account).
5. Legal Bases for Processing (EU GDPR and UK GDPR)
If you are located in the EEA or the UK, we process your personal data only where we have a lawful basis to do so under Article 6 of the GDPR. The legal bases we rely on are:
5.1 Performance of a Contract (Article 6(1)(b))
Processing necessary to provide the Service to you under our Terms of Service, including:
- Creating and managing your account
- Calculating and displaying your safety margin, runway, and financial summaries
- Generating, storing, and sending invoices on your behalf
- Recording and categorising your expenses
- Importing bank data when you choose to connect your bank
- Sending transactional emails (e.g., password reset, invoice delivery)
5.2 Legitimate Interests (Article 6(1)(f))
Processing necessary for our legitimate interests, provided these interests are not overridden by your fundamental rights and freedoms:
- Improving and developing the Service based on aggregated usage patterns
- Ensuring the security and integrity of the Service
- Detecting, preventing, and responding to fraud, abuse, or security incidents
- Administering our business operations
5.3 Consent (Article 6(1)(a))
Where we rely on your consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. We rely on consent for:
- Placing non-essential cookies on your device (see our Cookie Policy)
- Sending you marketing or promotional communications (if applicable in future)
5.4 Legal Obligation (Article 6(1)(c))
Processing necessary to comply with our legal obligations, including:
- Responding to lawful requests from law enforcement or regulatory authorities
- Complying with applicable anti-money laundering (AML) regulations where required
- Retaining data for mandatory record-keeping periods under tax or financial regulations
6. How We Use Your Personal Data
We use your personal data for the following purposes:
- Providing the Service: Displaying your safety margin, financial dashboards, runway projections, invoice management, expense tracking, and project management features.
- Account management: Authenticating your identity, managing your account settings, and processing password resets.
- Bank data synchronisation: When you connect your bank account, importing transactions and balance data to keep your financial overview up to date. Automatic synchronisation occurs every 24 hours while your bank connection is active.
- Invoice delivery: Sending invoices to your clients via email on your behalf using our email infrastructure (Resend).
- PDF generation: Creating downloadable PDF versions of your invoices.
- Service improvement: Using anonymised and aggregated data (which cannot identify you) to understand usage patterns and improve the Service.
- Security: Monitoring for suspicious activity, preventing fraud, and protecting the Service and its users.
- Legal compliance: Responding to legal obligations, regulatory requirements, and lawful data access requests.
- Communications: Sending you essential service-related notifications (e.g., security alerts, changes to our terms).
We do not sell your personal data. We do not use your data for automated decision-making or profiling that produces legal effects concerning you.
6.5 AI and Automated Systems (EU AI Act)
FreelanceVault does not use high-risk AI systems as defined by Regulation (EU) 2024/1689 (EU AI Act). Features such as payment predictions are based on deterministic calculations (e.g., average payment times from your historical data), not machine learning or artificial intelligence. We do not engage in prohibited AI practices such as biometric categorisation, emotion recognition, social scoring, or cognitive manipulation. If we introduce AI systems in the future, we will update this policy and comply with applicable transparency obligations under the AI Act.
7. Who We Share Your Data With
We share your personal data only with the following categories of recipients, and only to the extent necessary for the purposes described in this policy:
7.1 Service Providers (Data Processors)
We use the following third-party service providers who process data on our behalf under data processing agreements:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase (US) | Hosting, database, authentication | All account and financial data |
| Vercel (US) | Application hosting, edge delivery | Technical/usage data, IP addresses |
| Resend (US) | Transactional email delivery | Email addresses, invoice content |
| TrueLayer (UK) | Bank connectivity (UK users) | Bank account data, OAuth tokens |
| Google (US) | OAuth sign-in (optional) | Account identifier, name, email |
7.2 Your Clients
When you send an invoice through FreelanceVault, the email will contain your business name, business address, VAT number (if provided), payment details, and the invoice content. This information is shared because you have instructed us to send the invoice on your behalf.
7.3 Law Enforcement and Regulatory Authorities
We may disclose your personal data if required to do so by law, in response to a valid legal process (such as a court order, subpoena, or regulatory request), or where we believe in good faith that disclosure is necessary to:
- Comply with applicable law or regulation
- Protect our rights, property, or safety, or that of our users or the public
- Detect, prevent, or address fraud, security, or technical issues
7.4 Business Transfers
If FreelanceVault is involved in a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your personal data is transferred and becomes subject to a different privacy policy.
We do not share, sell, rent, or trade your personal data with third parties for their own marketing or advertising purposes.
8. International Data Transfers
Our Service is hosted on infrastructure located in the United States. If you are located in the EEA or the UK, this means your personal data is transferred to a country outside the EEA/UK.
We ensure that any international transfers of personal data are carried out in compliance with applicable data protection laws. We rely on the following safeguards:
- Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) with our service providers to ensure adequate protection for data transferred outside the EEA/UK.
- EU-US Data Privacy Framework: Where our service providers are certified under the EU-US Data Privacy Framework (and UK Extension), we rely on their certification as a valid transfer mechanism.
- Adequacy decisions: Where the European Commission or UK Secretary of State has made an adequacy decision for a country, transfers to that country do not require additional safeguards.
You may request a copy of the safeguards we have in place by contacting us at privacy@freelancevault.app.
9. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention periods are as follows:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days | Service provision; grace period for reactivation |
| Financial data (invoices, expenses) | Duration of account + 7 years | UK HMRC requirement (6 years); US IRS requirement (up to 7 years); EU member state tax record-keeping obligations |
| Bank connection tokens | Until disconnection + 24 hours | Tokens deleted promptly after disconnection |
| Bank transaction data | Duration of account + 7 years | Tax record-keeping obligations |
| Technical/usage data | 90 days | Security monitoring and debugging |
| Support correspondence | 2 years after resolution | Service improvement and dispute resolution |
| Newsletter email | Until you unsubscribe or create an account | Legitimate interest in communicating product updates and tips |
When the retention period expires, we securely delete or anonymise your personal data so that it can no longer be associated with you. Where anonymisation is used, the anonymised data may be retained indefinitely for analytical purposes.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
- Encryption at rest: Your data stored in our database is encrypted at rest using AES-256 encryption provided by our infrastructure provider.
- Password security: Passwords are hashed using bcrypt with an appropriate work factor. We never store passwords in plain text.
- Row-Level Security (RLS): Our database enforces row-level security policies ensuring that each user can only access their own data. Every database table containing user data is protected by RLS policies filtering on user identity.
- Authentication security: We use secure, HTTP-only session cookies. OAuth authentication with Google uses PKCE (Proof Key for Code Exchange) to prevent authorization code interception attacks.
- Bank connection security: We use OAuth 2.0 to connect to your bank through TrueLayer. We obtain read-only access. We never receive your bank login credentials. You can disconnect your bank at any time from your settings page.
- Webhook verification: Authentication webhook payloads are verified using HMAC-SHA256 signatures to prevent tampering.
- Access controls: Access to production systems and databases is restricted to authorised personnel only, using the principle of least privilege.
- Regular updates: We keep our software dependencies and infrastructure up to date with security patches.
While we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure. If you become aware of any security vulnerability or believe your account has been compromised, please contact us immediately at security@freelancevault.app.
11. Your Rights Under EU GDPR and UK GDPR
If you are located in the EEA or the UK, you have the following rights under the GDPR. You can exercise any of these rights by contacting us at privacy@freelancevault.app. We will respond to your request within 30 days (or within the timeframe required by applicable law).
- Right of access (Article 15): You have the right to request a copy of the personal data we hold about you, together with information about how we process it, why we process it, how long we retain it, and who we share it with.
- Right to rectification (Article 16): You have the right to request that we correct any inaccurate personal data we hold about you, or complete any incomplete personal data.
- Right to erasure (Article 17): You have the right to request that we delete your personal data where there is no compelling reason for us to continue processing it. This right is not absolute — we may need to retain certain data to comply with legal obligations (e.g., tax record-keeping requirements).
- Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of data you have contested.
- Right to data portability (Article 20): You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. You can also request that we transmit the data directly to another controller where technically feasible.
- Right to object (Article 21): You have the right to object to our processing of your personal data where we rely on legitimate interests as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.
- Right to withdraw consent (Article 7(3)): Where we process your data based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
- Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In the EU, you can contact your local data protection authority — a list is available at edpb.europa.eu.
11.5 EU Data Act (Data Access and Portability)
Regulation (EU) 2023/2854 (EU Data Act) applies from 12 September 2025. If you are in the EEA or UK, you have additional rights regarding data generated through your use of FreelanceVault:
- Right to access in machine-readable format: You may request a copy of your data (including personal and non-personal data such as invoices, expenses, and financial summaries) in a structured, commonly used, and machine-readable format (e.g., JSON or CSV).
- Right to share with third parties: You may request that we make your data available to a third party of your choice, subject to technical feasibility and our obligations under data protection law.
- Transparency: We provide clear information about the type, scope, and use of data we collect before you create an account (this Privacy Policy and our Terms of Service).
Where the Data Act overlaps with the GDPR for personal data, the GDPR takes precedence. To exercise these rights, contact us at privacy@freelancevault.app.
12. Your Rights Under the CCPA/CPRA (California Residents)
If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with specific rights regarding your personal information. This section describes those rights and explains how to exercise them.
12.1 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
- Identifiers: Name, email address, IP address, account name, unique personal identifier
- Financial information: Bank account details (via open banking), income, expenses, invoice amounts, tax information
- Commercial information: Records of services purchased (if applicable), invoices created, client information
- Internet or other electronic network activity: Browsing history on the Service, interaction with the Service, search history within the Service
- Professional or employment-related information: Business name, business address, VAT/tax identification number
12.2 Sources of Personal Information
We collect personal information from: (a) you directly; (b) your browser or device automatically; and (c) third-party services you connect (Google, TrueLayer).
12.3 Business or Commercial Purposes for Collection
We collect personal information for the purposes described in Section 6 of this policy, including providing the Service, maintaining your account, security, and service improvement.
12.4 Sale and Sharing of Personal Information
We do not sell your personal information as defined by the CCPA. We do not share your personal information for cross-context behavioural advertising purposes. We have not sold or shared personal information in the preceding 12 months.
12.5 Your CCPA/CPRA Rights
- Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
- Right to delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (e.g., data we must retain for legal or regulatory compliance).
- Right to correct: You have the right to request that we correct inaccurate personal information we maintain about you.
- Right to opt-out of sale/sharing: Although we do not sell or share your personal information, you may submit an opt-out request at any time.
- Right to limit use of sensitive personal information: You have the right to limit our use and disclosure of sensitive personal information (including financial data) to uses that are necessary to provide the Service.
- Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge you different prices, provide you a different level of service, or suggest any of these will occur as a result of exercising your rights.
12.6 How to Exercise Your Rights
To exercise any of the rights described above, you may submit a verifiable consumer request by:
- Emailing us at privacy@freelancevault.app
We will verify your identity before processing your request by matching information you provide against information we have on file. You may designate an authorised agent to make a request on your behalf. If you use an authorised agent, we may require proof of their authorisation and still verify your identity directly.
We will respond to your request within 45 days of receiving it. If we need additional time (up to 45 more days), we will inform you of the reason and extension period in writing.
13. Other US State Privacy Laws
In addition to California, several other US states have enacted comprehensive privacy laws. If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Nebraska (NDPA), Minnesota (MCDPA), Maryland (MODPA), or any other state with an applicable consumer privacy law, you generally have the following rights (subject to the specific provisions of your state's law):
- Right to confirm whether we are processing your personal data
- Right to access your personal data
- Right to correct inaccuracies in your personal data
- Right to delete your personal data
- Right to obtain a copy of your personal data in a portable format
- Right to opt out of the sale of personal data, targeted advertising, and profiling (we do not engage in any of these activities)
To exercise these rights, contact us at privacy@freelancevault.app. If your request is denied, you have the right to appeal, and we will provide instructions on how to do so.
14. Financial Regulation and Open Banking Compliance
14.1 Payment Services and Open Banking
FreelanceVault uses open banking services to allow you to connect your bank account and view your financial data. We access your bank data through regulated third-party providers:
- TrueLayer (UK users): TrueLayer is authorised by the UK Financial Conduct Authority (FCA) as an Authorised Payment Institution under the Payment Services Regulations 2017 (Firm Reference Number: 901096). TrueLayer provides Account Information Services (AIS) under the revised Payment Services Directive (PSD2) and its UK equivalent. When you connect your bank via TrueLayer, you authenticate directly with your bank. We receive read-only access to your account balance and transaction history.
14.2 What We Are Not
FreelanceVault is a financial management and visualisation tool. We are not:
- A bank, credit institution, or payment services provider
- A financial adviser or provider of regulated financial advice
- An accounting firm or provider of tax advice
- An investment firm or provider of investment advice
The information presented in the Service (including your safety margin, runway, tax estimates, and financial summaries) is for informational purposes only and does not constitute financial, tax, legal, or investment advice. You should consult a qualified professional for advice specific to your circumstances.
14.3 Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF)
While FreelanceVault is not a regulated financial institution, we are committed to not facilitating money laundering, terrorist financing, or other financial crime. We cooperate with law enforcement and regulatory authorities where required by law. Our open banking providers (TrueLayer and Plaid) are subject to their own AML/CTF obligations as regulated entities.
14.4 Gramm-Leach-Bliley Act (GLBA) — US
To the extent that the GLBA applies to the financial data we handle, we comply with the GLBA's requirements regarding the protection of nonpublic personal information (NPI). We implement administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of your financial information. We do not share your financial information with non-affiliated third parties except as permitted by the GLBA or as described in this Privacy Policy.
14.5 Strong Customer Authentication (SCA)
Under PSD2 (EU) and the UK's Payment Services Regulations 2017, Strong Customer Authentication is required when you access your bank account data through open banking. This authentication is handled by your bank and by TrueLayer — FreelanceVault does not participate in the SCA process directly. You will be redirected to your bank's authentication flow, which typically requires two or more independent authentication factors.
15. Cookies and Similar Technologies
We use cookies and similar technologies as described in our Cookie Policy. In summary:
- We use strictly necessary cookies for authentication and session management. These cookies are essential for the Service to function and cannot be disabled.
- We do not use advertising, tracking, or third-party marketing cookies.
- Under the EU ePrivacy Directive (2002/58/EC as amended by 2009/136/EC) and the UK Privacy and Electronic Communications Regulations 2003 (PECR), strictly necessary cookies do not require consent. Should we introduce any non-essential cookies in the future, we will obtain your prior consent through a cookie consent mechanism.
16. Children's Privacy
The Service is not directed at individuals under the age of 18 (or under the age of 16 in EEA member states where the relevant national age of digital consent is 16). We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@freelancevault.app, and we will take steps to delete such data.
In the United States, we comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13.
17. Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals. As we do not engage in tracking users across third-party websites or online services, we do not currently respond to DNT signals. However, because we do not track you across third-party sites, our practices are consistent with the intent of DNT signals.
18. Third-Party Links and Services
The Service may contain links to third-party websites or services that are not operated by us (e.g., your bank's website during the open banking connection flow). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing them with your personal data.
19. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- EU/UK GDPR: Notify the relevant supervisory authority (e.g., the ICO in the UK) within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Article 34).
- US State Laws: Notify affected individuals and relevant state authorities in accordance with applicable state data breach notification laws. California Civil Code Section 1798.82 requires notification without unreasonable delay; other states have similar requirements with varying timeframes.
20. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:
- We will update the "Last updated" date at the top of this page.
- For material changes that significantly affect how we process your personal data, we will notify you by email (sent to the email address associated with your account) or by displaying a prominent notice within the Service at least 30 days before the changes take effect.
- Where required by applicable law (including the GDPR), we will seek your consent to material changes in our data processing practices.
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data.
21. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Privacy enquiries: privacy@freelancevault.app
- General support: support@freelancevault.app
- Security issues: security@freelancevault.app
If you are not satisfied with our response to your privacy complaint, you have the right to lodge a complaint with your local data protection authority:
- UK: Information Commissioner's Office (ICO) — ico.org.uk — Telephone: 0303 123 1113
- EU: Your local data protection authority — see edpb.europa.eu for a full list
- California, US: Office of the Attorney General — oag.ca.gov/privacy