§
Finox/Privacy
§ Privacy notice · UK GDPR

Your data, plainly handled.

Finox Limited (“Finox”, “we”, “us”) takes data protection seriously. This notice explains what personal data we collect, why we collect it, how long we keep it, and your rights under UK GDPR and the Data Protection Act 2018.

Last updated: 13 May 2026 · Version 1.0

1 · Who we are

Finox Limited is the data controller for the personal data we collect about you. We are a private limited company registered in England & Wales.

  • Company name: Finox Limited
  • Company number: 17084281
  • Registered office: Office 17847, 182–184 High Street North, East Ham, London, E6 2JA, United Kingdom
  • Contact for data matters: info@finox.co.uk
  • General contact: info@finox.co.uk

2 · What data we collect

We only collect data we genuinely need. In practice, that’s these categories:

2.1 Information you give us directly

  • Contact form / email enquiries: name, email, company, stage, and the message you write.
  • Bookings (Calendly or similar): name, email, time slot, optionally a phone number.
  • Engagement / client onboarding: business name, registered number, directors’ names, addresses, dates of birth, identification documents and proof of address (required by UK Money Laundering Regulations 2017 for client due diligence).
  • Service delivery: financial records, transaction data, payroll data, and other documents you share with us to deliver the services in our engagement letter.

2.2 Information collected automatically

  • Server / hosting logs: IP address, browser type, pages visited — collected by our hosting provider (Vercel) for security and operational purposes.
  • Local storage: a single browser localStorage entry called finox-theme remembers your light / system / dark mode preference. It is stored on your device, not transmitted to us, and is exempt under PECR as “strictly necessary” for the function you requested.
  • No cookies. This website does not set cookies. We do not use analytics, advertising, retargeting, fingerprinting or tracking pixels.

3 · Why we use your data · our lawful basis

Under UK GDPR we need a lawful basis for processing personal data. Ours are:

  • Contract (Art. 6(1)(b)): processing necessary to deliver the services you’ve engaged us for — bookkeeping, accounts, modelling, Build sprints, etc.
  • Legitimate interests (Art. 6(1)(f)): responding to enquiries, providing diagnostics and quotes, sending one operational email per enquiry, securing our infrastructure.
  • Legal obligation (Art. 6(1)(c)): client due diligence under the Money Laundering Regulations 2017 (where applicable), keeping records HMRC and Companies House require, retaining accounts for the statutory minimum period.
  • Consent (Art. 6(1)(a)): only for optional newsletter signup. You can withdraw consent at any time via the unsubscribe link.

4 · Who we share data with

We do not sell or rent personal data. We share it only with:

  • Sub-processors operating under our instruction: hosting (Vercel Inc.), email (e.g. Resend / Postmark), accounting tools (Xero), file storage and collaboration (Google Workspace / Notion), AI tooling for internal drafting (Anthropic, OpenAI — using zero-data-retention configurations where available).
  • Regulators & authorities: HMRC, Companies House, the National Crime Agency (Suspicious Activity Reports under MLR), the ICO, courts — when legally required.
  • Professional advisors: our insurers, lawyers and accountants under duties of confidence.
  • Successors: if Finox is sold or merged, your data may be transferred to the acquirer, who will be bound by this notice.

5 · International transfers

Some of our sub-processors (e.g. Vercel, Anthropic, OpenAI) are based in the United States. Where we transfer personal data outside the UK, we rely on:

  • The UK Government’s adequacy decisions where they apply (e.g. EU/EEA, UK–US Data Bridge);
  • Standard Contractual Clauses (SCCs) plus the UK Addendum where adequacy does not apply;
  • Provider-level technical safeguards (encryption in transit and at rest, access controls).

6 · How long we keep your data

  • Enquiry / contact form data: 12 months from your last interaction, then deleted.
  • Client engagement records: 7 years after the end of the engagement (HMRC statutory retention for accounting records).
  • AML / identification documents: 5 years after the end of the engagement (Money Laundering Regulations 2017 retention period), then deleted.
  • Server logs: 30 days, then auto-deleted by our hosting provider.
  • Newsletter subscribers: until you unsubscribe.

7 · Your rights under UK GDPR

You have the following rights. Most can be exercised by emailing info@finox.co.uk; we’ll respond within one calendar month.

  • Access: a copy of the personal data we hold about you.
  • Rectification: correction of inaccurate data.
  • Erasure (“right to be forgotten”): deletion, subject to legal retention obligations.
  • Restriction: temporarily limit how we use your data while a query is resolved.
  • Portability: receive your data in a machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: at any time, where consent is the lawful basis.
  • Automated decisions: we do not make decisions about you using fully automated processing.

8 · How to complain

We hope you’ll raise concerns with us first — we’d rather fix it. Email info@finox.co.uk.

You also have the right to complain to the UK Information Commissioner’s Office:

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

9 · Security

We protect personal data with TLS in transit, encryption at rest where supported by our providers, role-based access controls, two-factor authentication on all admin accounts, and an internal “need to know” principle. We will notify the ICO and affected individuals of any qualifying personal data breach within 72 hours, as required by UK GDPR.

10 · Changes to this notice

We may update this notice from time to time. The “Last updated” line at the top reflects the latest revision. Material changes will be highlighted on the home page for at least 30 days.


This notice is provided for transparency under Articles 13 and 14 of the UK General Data Protection Regulation. If anything here is unclear, email info@finox.co.uk and we’ll plain-English it.

Questions about your data?

Email us — we’ll reply.