Apron Payments Ltd ("Apron" or "we" or "us" or "our") respects your privacy and is committed to protecting your personal data.

This Privacy Policy, together with our Terms of Service, outlines how we collect, use, process, and disclose your personal data when you use our products through our website, mobile app, or other services (collectively the “Service”).

1. WHO WE ARE

   Apron Payments Ltd (“Apron”) is an Authorised Electronic Money Institution regulated by the UK Financial Conduct Authority (“FCA”) under firm reference number 1004915. Apron is authorised and regulated by the FCA under the Payment Services Regulations 2017 and Electronic Money Regulations 2011 (as amended and replaced from time to time) for the issuing of electronic money and the provision of payment services. Our registered address is 201 Bishopsgate, London, EC2M 3AB.

   Apron is registered with the Information Commissioner's Office (“ICO”) under registration number ZB636209.

   For the purposes of data protection law, Apron is the data controller of your personal data when you use the Service.

   If you have questions, contact our Data Protection Officer (“DPO”) at dpo@getapron.com or by post to: Apron, 201 Bishopsgate, ECM2 3AB, London.

2. INFORMATION WE COLLECT

   We collect personal data directly from you and automatically through your use of our Service.

   1. Information You Provide
      1. Identity and Contact Details: Your name, business email and phone number;
      2. Profile Data: Display name, job title and other details to your profile information;
      3. Company Data: Company name and corporate details, business contacts and company phone number;
      4. Financial Information: Bank account numbers, payment history, payment amount;
      5. Support Communications: Phone number, issues you report, messages, documents, screenshots. This includes any additional information you provide to us when you give us feedback or contact us through our support channels and information provided to enable us to verify your identity through support communications;
      6. User Content: Text, files, and links submitted via our platform (e.g. chat forms); and
      7. Employee Data: employee names, roles, payment amounts for payroll and associated bank account details.
   2. Information We Collect Automatically Through Your Use of the Service
      1. Technical Data: IP address, browser type/version, OS, device ID, mobile network;
      2. Usage Data: Content viewed/searched, interaction data (scrolling, clicks, hovers), response times, visit duration, navigation paths;
      3. Uploaded Data: the type, size and filenames of attachments you upload to the Service and how you interact with others on the Service. Including the names, addresses and financial data contained in documents uploaded for use of our Service;
      4. Crash & Diagnostic Data: Error messages, logs, download issues, call data; and
      5. Session Metadata: Account creation timestamp, session frequency, time of use.
   3. Two-Factor Authentication Data
      1. If you enable 2FA, we collect your phone number for SMS verification codes.
3. PURPOSE AND LEGAL BASES FOR PROCESSING YOUR DATA

   The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases. We have outlined below, in a table format, a description of all the ways we plan to use the various categories of your personal data, along with the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

   Purpose	Type of Data	Legal Basis	Retention period
   Provide and operate the Service	Business name, user's name, contact details, supplier details, invoice data, payment instructions, and contact details	Performance of Contract	5 years after the end of the relationship
   Process transactions and payments	Payment details, transaction history, account identifiers, and customer name	Performance of Contract	5 years after the end of the relationship
   Account setup, access, and management	Name, email, phone number, address, login credentials, and account preferences	Performance of Contract	5 years after the end of the relationship
   Manage our relationship with you and respond to customer support requests or complaints	Contact details, support interaction history, service usage, user ID and verification of ID	Legitimate Interests / Performance of Contract and comply with Legal Obligation	5 years after the end of the relationship
   Improve and secure the Service	Technical logs, device information, usage analytics, error reports	Legitimate Interests	5 years after the end of the relationship
   Prevent fraud and financial crime and meet our regulatory obligations	Identity documents, device/IP data, transaction patterns, sanctions screening data	Legal Obligation	5 years after the end of the relationship
   Communicate updates and notifications	Name, contact details, service usage, communication preferences	Performance of Contract / Legitimate Interests / Consent	5 years after the end of the relationship
   Target and personalise advertising via trusted partners or third-party platforms (e.g. LinkedIn)	Email address, company name, usage data, communication preferences	Consent	5 years after the end of the relationship
   Train AI and improvement of our services	Anonymised or pseudonymised invoice data, usage data	Performance of Contract / Legitimate Interests / Consent	N/A

4. AI & MACHINE LEARNINGWe use AI and machine learning tools, including but not limited to, within Apron Capture, to enhance data processing and automation. This involves:

   1. Extracting structured data from uploaded documents (e.g., invoices);
   2. Learning from user corrections to improve accuracy; and
   3. Aggregating anonymised data to train AI models.

   Data is anonymised or pseudonymised and Apron takes all reasonable steps to protect data used for this purpose. You can select to opt out of AI training being used on your data by emailing our DPO at: dpo@getapron.com

5. MARKETING COMMUNICATIONS & YOUR RIGHT TO OBJECT

   With your express consent, we may use your contact data (e.g., name and email) to send relevant marketing communications such as updates, offers, and product news. You have an absolute right to object to direct marketing at any time.

   To opt out:

   1. Click “unsubscribe” in any email; or
   2. Email dpo@getapron.com with your request.

   If we receive your objection, we will immediately stop sending you marketing messages. We may retain minimal contact details on a suppression list to ensure you are not contacted again.

6. DATA SHARINGTo perform our contract with you or where it is in our legitimate interests, we may share your data with third parties where necessary, including:

   1. Customer support vendors (e.g., Intercom)
   2. Cloud service providers (e.g., AWS, Google Cloud)
   3. Payment processors (e.g., ClearBank, Currency Cloud, Checkout, Plaid)
   4. Analytics and support vendors to improve performance and troubleshoot issues
   5. Regulators, fraud databases (e.g., FCA) for compliance
   6. Potential buyers or acquirers in the event of a merger, acquisition, or asset sale

   We may also share limited personal data (such as your business email address) with advertising platforms like LinkedIn, Google, or Meta for the purpose of creating “custom audiences” or “matched audiences” that allow us to show relevant ads to our users and potential customers. These platforms process this data solely to match against their user base and do not gain access to identifiable information unless you are already a user of their services.

   We only share this data where permitted by law and under appropriate safeguards, such as secure, hashed data uploads. You can object to this use of your data at any time by contacting dpo@getapron.com.

   We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

7. LINKS TO THIRD-PARTY SITES

   Our Service may contain links to third-party sites and embedded features (e.g., social media widgets). These are governed by their own privacy policies. We are not responsible for the data processing practices of those third parties. Where appropriate, we have linked these third party privacy policies in our Terms & Conditions.

8. INTERNATIONAL TRANSFERSSome of our service providers are based outside the UK. Whenever we transfer your personal data out of the UK to countries which have laws that do not provide the same level of data protection as the UK law, we always ensure that a similar degree of protection is afforded to it by ensuring that the following safeguards are implemented:

   1. An adequacy decision exists; or
   2. Standard Contractual Clauses (SCCs) are in place; or
   3. Other safeguards are applied (e.g., certification mechanisms).

   You can request more details by emailing our DPO at dpo@getapron.com

9. DATA RETENTIONWe retain data only as long as needed for:

   1. Service provision and support;
   2. Compliance with legal obligations (e.g., AML regulation); and
   3. Exercise or defence of legal claims.

   Factors affecting retention:

   1. Statutory obligations and limitations;
   2. Pending disputes or investigations; and
   3. Your specific data deletion requests.

   In some circumstances you can exercise your right of erasure and ask us to delete your data, see paragraph 10 below for further information.

   In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

10. YOUR RIGHTS
    1. Under the UK GDPR, you have the following rights:

       1. Right to object – to our processing in certain situations (eg. Object to the use of your personal data for targeted advertising, including sharing with third-party platforms such as LinkedIn. To opt out, contact dpo@getapron.com or adjust your preferences via the unsubscribe link in our marketing emails.)
       2. Right to be informed – about our data collection and uses
       3. Right of access – to your personal data
       4. Right to rectification – of inaccurate or incomplete data
       5. Right to erasure – in certain cases, such as when data is no longer needed
       6. Right to restrict processing – temporarily or permanently
       7. Right to data portability – to transfer your data elsewhere
       8. Right to lodge a complaint – with the Information Commissioner’s Office (ICO)
       9. Right to withdraw consent – at any time, where consent is used
    2. No fee usually required:

       You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

    3. Information we need from you:

       We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

    4. Contact and timeframe:

       To exercise your rights, email dpo@getapron.com. We aim to respond to all legitimate requests within one month.

       Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

11. SECURITY MEASURESWe have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We maintain the following administrative, technical, and physical safeguards to protect your data:

    1. Encrypted data transmission and storage;
    2. Regular security audits and access reviews;
    3. Two-factor authentication and session controls; and
    4. Data minimisation and pseudonymisation.

    We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.Despite our best efforts, no online system is completely secure. If you suspect a breach, contact us immediately.
12. CHANGES TO THIS POLICYWe keep our privacy policy under regular review. This version was last updated as noted in the review date above. We may also notify you directly of material changes to this policy.It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example, a new address or email address.
13. CONTACT DETAILSIf you have any questions about this privacy policy or about the use of your personal data or you want to exercise your privacy rights, please contact our DPO in the following ways:Email: dpo@getapron.comPost: Apron Payments Ltd, 201 Bishopsgate, London, EC2M 3AB
14. COMPLAINTSYou have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.