Privacy Policy

1. Introduction

This Privacy Policy explains how Rich Moore trading as Experi ("we," "us," or "our") collects, uses, stores, and protects your personal data when you use the Experi service (experi.co.uk).

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Data We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Password (encrypted)
• Account creation date

2.2 Business Profile Data

When you set up your business profile, we collect:

• Business name
• Contact name
• Business address
• Business email and phone number
• Tax information (VAT number, company number)
• Bank details (for display on invoices)
• Payment preferences

2.3 Client Data

When you add clients, we collect:

• Client name and company
• Client email address
• Client postal address
• Notes about the client

2.4 Invoice Data

When you create invoices, we collect:

• Invoice details (items, amounts, dates)
• Payment information
• Invoice status
• Email send history

2.5 Payment Information

Payment processing is handled by Stripe. We do not store your full credit card details. We only store:

• Stripe customer ID
• Subscription status
• Subscription plan
• Payment dates

2.6 Usage Data

We automatically collect:

• IP address
• Browser type and version
• Device information
• Pages visited and time spent
• Referring website
• Session data

2.7 Cookies

We use cookies for authentication and session management. See our Cookie Policy for details.

3. Why We Collect Your Data (Legal Basis)

3.1 Contract Performance

We process your account, business, client, and invoice data to provide the Service you signed up for. This is necessary for the performance of our contract with you.

3.2 Legitimate Interests

We process usage data to:

• Improve the Service
• Detect and prevent fraud
• Ensure security
• Analyze usage patterns
• Provide customer support

3.3 Legal Obligation

We may process data to comply with legal requirements, such as responding to lawful requests from authorities.

3.4 Consent

For marketing communications, we will only contact you if you have given explicit consent.

4. How We Use Your Data

We use your data to:

• Create and manage your account
• Provide invoice creation and management services
• Send invoices via email to your clients
• Process subscription payments
• Send automated invoice reminders
• Provide customer support
• Send service-related notifications (e.g., password resets, subscription changes)
• Improve and develop the Service
• Detect fraud and ensure security
• Comply with legal obligations

5. Where We Store Your Data

Your data is stored with the following trusted service providers:

• Supabase (PostgreSQL database): Account, business, client, and invoice data. Supabase uses AWS infrastructure with data centers in the EU/UK.
• Vercel: Application hosting. Servers primarily in the EU/UK.
• Resend: Email delivery service for sending invoices to your clients.
• Stripe: Payment processing (USA-based, GDPR-compliant).

When data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions.

6. Who We Share Your Data With

We may share your data with:

6.1 Service Providers

• Hosting providers (Vercel, Supabase)
• Email service (Resend) - to send invoices on your behalf
• Payment processor (Stripe) - to process subscriptions

6.2 Your Clients

When you send an invoice, we share the invoice data (business details, amounts, items) with your client via email. This is at your instruction.

6.3 Legal Requirements

We may disclose data if required by law, court order, or to protect our legal rights.

6.4 Business Transfers

If Experi is sold or merged, your data may be transferred to the new owner (you will be notified).

7. How Long We Keep Your Data

• Active accounts: Data is retained for as long as your account is active.
• After account deletion: All user data, invoices, clients, and business information are immediately and permanently deleted from our active database. Audit logs may be retained in anonymized form (with your personal identifiers removed) for security and compliance purposes.
• Database backups: Deleted data may persist in encrypted backups for up to 30 days before being permanently purged.
• Legal holds: If your account is subject to a legal investigation or court order, we may be required to retain data longer than stated above.

8. Your Rights Under GDPR

You have the following rights:

8.1 Right to Access

You can request a copy of all personal data we hold about you.

8.2 Right to Rectification

You can update incorrect or incomplete data via your account settings or by contacting us.

8.3 Right to Erasure ("Right to be Forgotten")

You can delete your account and all associated data at any time through your Account Settings. This will permanently delete:

• Your user profile and authentication data
• All invoices and line items
• All client records
• All recurring invoice configurations
• All email history and logs
• Your business profile information

8.4 Right to Data Portability

You can export all your data in JSON format through your Account Settings. The export includes:

• Your profile and account information
• Complete invoice history with line items
• All client data
• Business profile settings
• Recurring invoice configurations
• Email sending logs
• Recent audit logs (last 1,000 entries)

This data is provided in machine-readable JSON format, making it easy to transfer to another service or keep as a backup.

8.5 Right to Restrict Processing

You can request that we stop processing your data in certain circumstances.

8.6 Right to Object

You can object to processing based on legitimate interests or for marketing purposes.

8.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time.

9. Security

We implement appropriate technical and organizational measures to protect your data:

• Passwords are encrypted using bcrypt
• Data is transmitted over HTTPS (SSL/TLS encryption)
• Access to data is restricted to authorized personnel only
• Regular security updates and monitoring
• Database backups and disaster recovery procedures

However, no system is 100% secure. We cannot guarantee absolute security, but we take all reasonable steps to protect your data.

10. Children's Privacy

Experi is not intended for use by anyone under the age of 18. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The "Last updated" date at the top indicates the most recent revision.

12. Complaints

If you believe we have not handled your data properly, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

13. Contact Us

If you have questions about this Privacy Policy or how we handle your data:

Data Controller: Rich Moore (sole trader)

Trading as: Experi

Email: hello@experi.co.uk