Privacy Policy

Sarvflow Ltd
Effective Date: 9 August 2025
Last Updated: 9 August 2025

1. Introduction

1.1 This Privacy Policy sets out in detail how Sarvflow Ltd (“Sarvflow”, “we”, “our”, or “us”), a company registered in England and Wales with company number 16629493 and registered office at 86–90 Paul Street, London, EC2A 4NE, United Kingdom, collects, uses, stores, transfers, and safeguards your personal data when you interact with our website, mobile application(s), APIs, or any related services (collectively, the “Services”).

1.2 We are committed to complying in full with:

  • The UK General Data Protection Regulation (“UK GDPR”)

  • The EU General Data Protection Regulation (“EU GDPR”) where applicable

  • The Data Protection Act 2018

  • The Privacy and Electronic Communications Regulations (“PECR”)

  • Applicable ePrivacy and PSD2/Open Banking requirements

1.3 By accessing or using our Services, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree, you must cease all use of our Services.

2. Data Controller and Contact Details

Sarvflow Ltd acts as the Data Controller for your personal data unless otherwise stated.

Data Controller: Sarvflow Ltd
Company Number: 16629493
Registered Office: 86–90 Paul Street, London, EC2A 4NE, United Kingdom
Contact Email: contactus@sarvflow.com

3. Categories of Personal Data We Collect

We may collect and process the following categories of personal data:

3.1 Identity and Contact Data – name, date of birth, email address, telephone number.

3.2 Authentication Data – encrypted login credentials, multi-factor authentication tokens.

3.3 Open Banking Data (via Tink AB, an FCA-registered AISP under PSD2) – including account balances, transaction history, account identifiers, credit/debit card details, and categorised spending patterns.

3.4 Technical and Usage Data – IP address, device identifiers, browser type, operating system, access timestamps, session durations, clickstream data, crash logs.

3.5 AI Interaction Data – chat prompts, responses, goal-setting inputs, lifestyle preferences, and behavioural analytics generated through your use of our AI-driven features.

3.6 Communications Data – customer service correspondence, feedback, and survey responses.

4. Methods of Collection

We collect personal data:
(a) Directly from you – when you create an account, connect your bank, or interact with the Services.
(b) Automatically – through cookies, SDKs, and other tracking technologies.
(c) From third parties – e.g., your bank via Tink AB, analytics providers, or marketing partners (only where legally permitted).

5. Legal Bases for Processing

We process personal data on the following lawful bases:

  • Contract performance – delivering the Services you request.

  • Consent – for Open Banking access, marketing, and non-essential cookies.

  • Legitimate interests – fraud prevention, service optimisation, and analytics (balanced against your rights).

  • Legal obligation – compliance with applicable law, including PSD2, AML, and regulatory reporting.

6. Purposes of Processing

We use personal data to:

  1. Provide, personalise, and improve the Services.

  2. Facilitate secure Open Banking integration and account connectivity.

  3. Deliver AI-powered insights, lifestyle nudges, and behavioural prompts.

  4. Detect, prevent, and investigate fraud or unauthorised activity.

  5. Conduct analytics and usage trend monitoring.

  6. Comply with regulatory, legal, and audit requirements.

7. Open Banking Compliance

When you connect financial accounts to Sarvflow:

  • Your credentials are never stored by Sarvflow.

  • All data access is via secure, encrypted tokens provided by Tink AB.

  • You may revoke consent at any time through our platform or your bank’s interface.

  • Tink AB is regulated by the Swedish Financial Supervisory Authority and registered with the UK Financial Conduct Authority for PSD2 services.

  • We access only the data necessary to fulfil the Services and retain it no longer than required for those purposes.

8. Data Sharing

We do not sell or lease personal data. We may share data with:

  • Tink AB for Open Banking connectivity.

  • Cloud service providers, analytics tools, and subcontractors under binding contracts.

  • Professional advisers (lawyers, auditors) under confidentiality obligations.

  • Regulatory authorities, law enforcement, or courts as required by law.

9. International Data Transfers

Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as:

  • UK International Data Transfer Agreement (IDTA)

  • EU Standard Contractual Clauses (SCCs)

  • Adequacy decisions issued by the UK or European Commission

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by law:

  • Account data: retained while active and up to 6 years after closure.

  • Open Banking data: retained no longer than 90 days unless required for ongoing service delivery or compliance.

  • Anonymised data: retained indefinitely for statistical analysis.

11. Data Security

We employ robust technical and organisational measures, including:

  • AES-256 encryption for data at rest

  • TLS 1.2+ encryption for data in transit

  • OAuth 2.0 with PKCE for secure authentication

  • Role-based access controls

  • Regular penetration testing and security audits

12. Your Rights

Under the UK GDPR, you have the right to:

  • Access your data

  • Rectify inaccurate data

  • Request erasure (“right to be forgotten”)

  • Restrict processing

  • Object to processing

  • Request data portability

  • Withdraw consent at any time (without affecting prior lawful processing)

To exercise your rights, contact contactus@sarvflow.com. We will respond within statutory timeframes.

13. Cookies and Tracking

We use cookies and similar technologies in accordance with our Cookie Policy, which forms part of this Privacy Policy.

  • Essential cookies are always active.

  • Non-essential cookies (analytics, marketing) are used only with your explicit opt-in consent.

14. Children’s Data

Our Services are not intended for individuals under 18. We do not knowingly collect their data, and will delete any such information if discovered.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in law, technology, or business practices. We will notify you of material changes via email or in-app notice.

16. Complaints

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Website: https://ico.org.uk
Telephone: +44 (0)303 123 1113

17. Contact

Sarvflow Ltd
Company Number: 16629493
Registered Office: 86–90 Paul Street, London, EC2A 4NE, United Kingdom
Email: contactus@sarvflow.com