Privacy Policy

Last updated: 7 April 2026

Graft ("we", "our", "us") is operated by Sam Barrett, a sole trader registered in England. This policy explains how we collect, use, and protect your personal data when you use the Graft mobile application.

We are registered with the Information Commissioner's Office (ICO). Contact: [email protected].

1. What Data We Collect

• Account information: Full name, email address, trade type, password (hashed — never stored in plain text)
• Business details: Business name, address, phone number, business email
• Financial details: Bank account name, sort code, and account number (displayed on your invoices only)
• Tax identifiers: National Insurance number and Unique Taxpayer Reference (UTR) — required for HMRC Making Tax Digital submissions
• Job data: Job titles, descriptions, client details, time entries, material costs, photos, notes
• Financial records: Quotes, invoices, expenses, mileage entries, tax quarter figures
• Receipt images: Photos of receipts uploaded for expense tracking and AI scanning
• Device information: Device type, OS version, timezone (required by HMRC for fraud prevention headers)
• Subscription data: Subscription plan and status (managed by Apple via RevenueCat)

2. Why We Collect It

We process your data under the following lawful bases:

• Contract performance: Your account details, business details, NI number, and UTR are necessary to provide the service — specifically job management, invoicing, and HMRC MTD submissions.
• Legitimate interest: Job data, financial records, and client details are processed to provide job management and invoicing features.
• Consent: Receipt scanning via AI and push notifications are optional features you choose to use.
• Legal obligation: HMRC fraud prevention headers are required by law on every HMRC API submission.

3. How We Store and Protect Your Data

• All data is stored on Supabase servers in the London (eu-west-2) region.
• Data is encrypted at rest using AES-256 encryption.
• All data in transit is encrypted via HTTPS/TLS.
• Authentication tokens are stored on your device using iOS Keychain / Android Keystore (via Expo SecureStore), not in plain text.
• HMRC OAuth tokens are stored only on our server in an encrypted database. They are never stored on your device.
• Bank details, NI number, and UTR are masked on screen and require biometric authentication (Face ID / fingerprint) to reveal.
• Every database table has Row Level Security enabled — you can only access your own data.
• The HMRC Client Secret never leaves our server — all HMRC API calls happen server-side.

4. Who We Share Your Data With

• HMRC — When you submit a quarterly MTD return, we send your income total, expense total, and National Insurance number. We do not send individual job details, client names, or receipts.
• Anthropic (Claude AI) — When you scan a receipt, the image is sent for text extraction. No other personal data is sent. Images are not retained after processing.
• Supabase — Our database and file storage provider (London region). Acts as a data processor under our instructions.
• RevenueCat — Manages subscription status. Receives your anonymous user ID only. Does not receive your name, NI number, or financial data.
• Stripe — If you enable payment links on invoices, Stripe processes payments from your clients.
• Apple / Google — Process subscription payments via the App Store / Play Store.

We do not sell your data. We do not use your data for advertising.

5. How Long We Keep Your Data

• Active accounts: Data retained while your account is active.
• Deleted accounts: All data is permanently removed immediately when you delete your account — including jobs, invoices, expenses, photos, client records, and HMRC tokens. Anonymised backups may persist for up to 30 days before being overwritten.
• Tax records: UK law requires you to keep tax records for at least 5 years. We recommend exporting your data before deleting your account.
• Server logs: Retained for up to 7 days. Contain no personally identifiable information.

6. Your Rights

Under UK GDPR, you have the right to:

• Access your data — use the CSV Export feature in Settings, or email us.
• Rectify your data — edit your profile, jobs, and records directly in the app.
• Erase your data — delete your account in Settings. This removes all data permanently.
• Port your data — export jobs, expenses, invoices, and mileage as CSV files.
• Object to processing — email us at [email protected].
• Withdraw consent — disable push notifications or stop using receipt scanning at any time.

To exercise any right, email [email protected]. We will respond within 30 days.

7. Children

Graft is not intended for anyone under 16. We do not knowingly collect data from children.

8. Data Breach Procedure

In the event of a data breach that poses a risk to your rights, we will notify the ICO within 72 hours and notify affected users without undue delay.

9. Changes

We may update this policy. Significant changes will be notified via the app or email.

10. Contact

Sam Barrett
Email: [email protected]
Website: trygraft.app