Legal Documentation

Legal & Compliance

Privacy Policy

This policy explains what personal data we collect, why we collect it, how we use it, and your rights in relation to it. We are committed to handling your data transparently and in compliance with applicable UK data protection law.

Effective Date: 20 February 2026  |  Last Updated: 20 February 2026  |  Version: 1.0

Section 01

Data Controller

ClearPayable (referred to in this policy as "we", "us", or "our") is the data controller responsible for the personal data processed through the Platform.

As a business-to-business platform, we primarily process personal data on behalf of our customers (the businesses using the Platform) in the context of their accounts payable operations. Where we collect and use personal data about our customers' representatives and users directly, we act as a data controller in our own right.

Section 02

Scope of This Policy

This Privacy Policy applies to all personal data processed in connection with the Platform, including data relating to:

  • Customer account holders and their authorised Users who register for and use the Platform.
  • Individuals whose personal data appears within invoice documents submitted to the Platform for processing (for example, the name of a supplier contact printed on an invoice).
  • Visitors to our website at clearpayable.com.
  • Individuals who contact us via email, form submission, or other direct communication channels.

This policy does not govern the data practices of third-party Accounting Platforms (QuickBooks Online, Xero) to which you connect the Platform. Those services operate under their own privacy policies and you should review those separately.

Section 03

What Data We Collect

We collect the following categories of personal and business data depending on how you interact with the Platform.

Category Specific Data Points Who It Relates To
Account Data Business name, registered address, company number, VAT number, primary contact name, email address, phone number Customer account holder
Authentication Data Hashed passwords, JWT tokens, session metadata Individual users on the account
Invoice Data Supplier name, supplier address, contact name on invoice, invoice number, date, line items, amounts, VAT, payment terms Supplier contacts named on invoices
Supplier Records Supplier name, address, contact details, approval rule configurations Supplier entities and contacts
Approval & Audit Data Approver decisions, timestamps, comments Individual users on the account
Billing Data Plan type, invoice volume tier, payment method details (processed via payment provider), billing history Customer account holder
Communication Data Content of emails sent to us, support requests, correspondence Anyone who contacts us
We Do Not Collect: We do not collect special category data (health, biometric, ethnic origin, religious belief, etc.). We do not collect personal data from individuals under the age of 18 and the Platform is not intended for personal use by consumers.

Section 04

How We Collect Data

Data is collected through the following means.

  • Direct Registration: When a business registers for the Platform, account and billing data is collected via the sign-up flow.
  • User Onboarding: When the account holder adds users to the Platform, individual user data is collected at that point.
  • Email Forwarding: Invoice documents submitted to the customer's dedicated Platform mailbox are processed and the data within those documents is extracted by the OCR engine.
  • Platform Activity: Actions taken within the Platform — approvals, rule configurations, supplier additions — are logged automatically as part of the audit trail.
  • Payment Processing: Billing data is collected at subscription and renewal. Payment card details are processed directly by our payment provider and are not stored on our servers.
  • Cookies and Website Analytics: Technical and usage data is collected automatically when users visit our website. See Section 14 for details.
  • Direct Communication: Any correspondence sent to us by email or through contact forms is retained.

Section 06

How We Use Your Data

Personal data collected through the Platform is used for the following purposes.

  • Service Delivery: To operate the Platform, process invoices, route approvals, and push approved invoices to the connected Accounting Platform.
  • Account Management: To manage your subscription, process payments, send billing notifications, and handle plan changes or cancellations.
  • Security & Access Control: To authenticate users via JWT, enforce role-based permissions, and maintain audit logs of all actions taken within the account.
  • Customer Support: To respond to support requests, troubleshoot issues, and communicate service updates.
  • Platform Improvement: To analyse usage patterns, identify errors, and improve the reliability and accuracy of the invoice extraction engine. This is done on an aggregated, anonymised basis wherever possible.
  • Legal Compliance: To comply with applicable legal obligations including financial record-keeping requirements and responses to lawful regulatory requests.
  • Marketing: To send product updates, feature announcements, or promotional communications where you have consented or where we are permitted to do so under applicable rules. You may opt out at any time.

Section 07

Invoice & Supplier Data

A significant portion of the data processed through the Platform relates not to the Customer's own employees but to the Customer's suppliers — third-party businesses and, in some cases, the named individuals on those supplier invoices (for example a sole trader or a named contact on a supplier document).

The Customer, as the party that submits invoice documents to the Platform, is responsible for ensuring they have a lawful basis to share that supplier data with us for processing. For most business-to-business invoicing this is covered by the legitimate interests of all parties in processing a commercial transaction, but the Customer should satisfy themselves of this where any doubt exists.

We process invoice and supplier data only to provide the service to the Customer. We do not use supplier data for any purpose beyond fulfilling the Customer's AP workflow, and we do not share supplier data with any party other than the Customer's connected Accounting Platform as directed by the Customer.

Important: Invoice documents may contain personal data relating to individuals (for example a sole trader's name and address). The Customer is the data controller for that personal data. We process it as a data processor acting on the Customer's instructions. A Data Processing Agreement (DPA) is available on request and should be in place where required by UK GDPR Article 28.

Section 08

Data Sharing & Third Parties

We do not sell, rent, or trade personal data with any third party. We share data only in the following limited circumstances.

Accounting Platforms

Approved invoice data is transmitted to QBO or Xero as directed by the Customer. This is the core function of the service.

Payment Processor

Billing data is shared with our payment provider, Stripe, solely to process subscription payments. We do not store card details.

Cloud Infrastructure

The Platform is hosted on managed cloud infrastructure. Data is stored on those servers in accordance with our security configuration.

Legal Requirements

We may disclose data where required by law, court order, or regulatory authority, or to protect the rights and safety of our users or the public.

Business Transfer

In the event of a merger, acquisition, or sale of the business, Customer data may be transferred to the acquiring entity, subject to equivalent privacy protections.

Professional Advisers

Solicitors, accountants, or insurers acting on our behalf where strictly necessary and subject to confidentiality obligations.

All third parties with whom we share personal data are required to handle it in accordance with applicable data protection law and our contractual requirements.

Section 09

Accounting Platform Integrations

When a Customer connects their QuickBooks Online or Xero account to the Platform, approved invoice data is transmitted to that platform via the relevant API. This data transfer occurs only when explicitly triggered by an approver action within the Customer's workflow.

Each Accounting Platform is an independent third-party service with its own data storage and privacy practices. Once invoice data has been transmitted to an Accounting Platform, it falls outside our control and is governed by that platform's own privacy policy.

  • QuickBooks Online — Intuit Privacy Policy: intuit.com/privacy
  • Xero — Xero Privacy Policy: xero.com/uk/legal/privacy

We are not responsible for the data practices of these third-party platforms and make no warranties regarding their privacy or security standards. Customers should review those policies independently.

Section 10

Data Retention

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected and to comply with our legal obligations. The following retention periods apply.

Data Type Retention Period Reason
Account and user data Duration of subscription, then up to 30 days after the end of the final billing cycle Account access, cancellation handling, and data export following termination
Invoice documents and extracted data Duration of subscription, then up to 30 days after the end of the final billing cycle Customer access during the active subscription term and the post-cancellation export window
Audit and approval logs Duration of subscription, then up to 30 days after the end of the final billing cycle Operational auditability during the subscription term and short post-cancellation recovery period
Billing records 7 years from transaction date HMRC financial record-keeping requirements
Support communications 3 years from last contact Dispute resolution and service improvement
Authentication and session logs 90 days rolling Security monitoring
Website analytics data 26 months Product and marketing analytics

Following the expiry of the applicable retention period, personal data is securely deleted or anonymised. Where a subscription is cancelled, the Customer retains access until the end of the current billing cycle and then has a further 30 days to export data before deletion is completed, as described in the Terms of Service. After this window, data deletion is irreversible, subject to any separate legal obligations to retain billing or tax records.

Section 11

Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. Our security measures include the following.

  • Encryption in Transit: All data transmitted between Users and the Platform is encrypted using TLS.
  • Authentication & Session Security: User sessions use signed JSON Web Tokens with defined expiry windows, and refresh tokens are stored in secure HttpOnly cookies.
  • CSRF Protection: State-changing authentication requests use CSRF tokens and origin checks to reduce the risk of cross-site request forgery.
  • Role-Based Access Control: Access to invoice data, supplier records, workflow actions, and user management is restricted according to the roles configured by the Customer. No user can access data outside their assigned permissions.
  • Tenant Isolation: Company-scoped access controls are enforced so that users can only act on data belonging to their own organisation.
  • Password & Secret Protection: User passwords are hashed using bcrypt and are never stored in plain text. Sensitive integration credentials are encrypted at rest using authenticated encryption.
  • Application Hardening: The Platform applies security headers, parameter pollution protection, input sanitisation, request size limits, XML/script blocking, and path traversal checks to reduce common web attack risks.
  • Rate Limiting: Authentication and API requests are rate limited to reduce abuse, brute force attempts, and excessive automated traffic.
  • Audit Logging: Key security-sensitive and operationally significant actions are logged with timestamps and user attribution where audit logging is implemented, supporting investigation and forensic review where required.
  • Infrastructure Security: The Platform is hosted on managed cloud infrastructure with access controls and operational safeguards designed to protect customer data.

Whilst we take security seriously, no system is entirely immune to risk. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will inform affected Customers without undue delay.

Section 12

International Data Transfers

We are a UK-based business and use service providers located in the UK and other jurisdictions. Where personal data is transferred outside the UK — including through cloud infrastructure, payment providers, email providers, monitoring tools, or third-party integrations — we ensure that appropriate safeguards are in place in accordance with UK GDPR Chapter V.

These safeguards may include UK adequacy regulations, International Data Transfer Agreements (IDTAs), or Standard Contractual Clauses (SCCs) as adopted and approved under UK law. Where data is transferred to third-party accounting platforms or other external service providers outside the UK, those transfers are also subject to the applicable provider's own transfer mechanisms and privacy commitments.

You may request details of the safeguards in place for any specific international transfer by contacting us at the address in Section 18.

Section 13

Your Rights

Under UK GDPR, individuals whose personal data we process have the following rights. These rights apply to natural persons (individuals) and are not rights held by corporate entities, though the individual representatives and users of our corporate customers can exercise them in relation to their own personal data.

Right of Access

You can request a copy of the personal data we hold about you and information about how we use it (Subject Access Request).

Right to Rectification

You can ask us to correct personal data that is inaccurate or incomplete.

Right to Erasure

You can request deletion of your personal data where we no longer have a lawful basis to retain it, subject to our legal obligations.

Right to Restrict Processing

You can ask us to suspend processing of your data in certain circumstances, for example while accuracy is contested.

Right to Data Portability

Where processing is based on consent or contract, you can request your data in a structured, commonly used, machine-readable format.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds.

Rights re: Automated Decisions

You have the right not to be subject to solely automated decisions that produce significant legal effects. The Platform does not make such decisions.

Right to Withdraw Consent

Where processing is based on your consent, you may withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us at support@clearpayable.com. We will respond within one calendar month. We may need to verify your identity before processing a request. Exercising your rights is free of charge except in cases of manifestly unfounded or excessive requests.

Section 14

Cookies & Tracking

Our website and Platform use cookies and similar tracking technologies to maintain sessions, remember preferences, and analyse usage. The categories of cookies we use are as follows.

  • Strictly Necessary Cookies: Required for the Platform to function. These include session cookies tied to JWT authentication and cannot be disabled without disrupting service access.
  • Analytics Cookies: Used to understand how visitors interact with our website and Platform. This data is collected on an aggregated basis using our analytics tooling. You may opt out via your browser settings or our cookie banner.
  • Functional Cookies: Used to remember user preferences and consent choices where applicable.

We do not use advertising or third-party tracking cookies. On your first visit to our website you will be presented with a cookie consent banner. You can update your preferences at any time via the cookie settings link in the footer of our website.

Section 15

Children's Data

The Platform is a business-to-business service intended exclusively for use by commercial entities and their adult employees. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that a minor's data has been submitted to the Platform, we will take steps to delete it promptly. If you believe a minor's data has been processed through the Platform in error, please contact us at support@clearpayable.com.

Section 16

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, the Platform's functionality, or applicable law. Where changes are material, we will notify active Customers by email or via an in-platform notification at least 14 days before the updated policy takes effect.

The "Last Updated" date at the top of this page indicates when the most recent revision was made. We encourage you to review this policy periodically. Continued use of the Platform following the effective date of any update constitutes acceptance of the revised policy.

Section 17

Complaints

If you have a concern about how we have handled your personal data, we ask that you contact us in the first instance so we can try to resolve the matter directly. We take all privacy concerns seriously and will respond to complaints within 30 days.

Section 18

Contact ClearPayable support.

Contact ClearPayable about AP automation, pricing, onboarding, security reviews, or product questions.

support@clearpayable.com