Information Collection and Use
Stack Zero Limited ("we", "us", "our") operates savvibills.com and the Savvi platform (the "Service"). We are committed to protecting and respecting your privacy. This privacy policy explains how we collect, use, store and share your personal data when you use our Service.
We are the data controller for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Stack Zero Limited is registered in England and Wales. Company number: 09373967. Registered address: Bridge Farm, Holt Lane, Ashby Magna, LE17 5NJ.
If you have any questions about this privacy policy or our data practices, please contact us at privacy@savvibills.com.
What Data We Collect
We collect and process the following categories of personal data:
Account data When you create an account, we collect your name, email address and password (which is stored only in hashed form using industry-standard encryption). If you sign in using Google, we also receive your profile image from Google.
Property and profile data Information you provide or that we extract from your documents to organise your records into Profiles. This includes postal addresses, property details, vehicle information, business names and person names. Profiles may represent a Property, Person, Vehicle, Business or Asset.
Financial documents Bills, contracts, certificates, manuals and other documents you upload to the Service, including the file content, file type and associated metadata such as upload date and file size.
Extracted data Information that our AI systems automatically extract from your uploaded documents. This includes supplier names, account numbers, monetary amounts, dates, payment terms, line items and other structured data identified within your documents.
Supplier and account data Your relationships with suppliers, including supplier names, account numbers, payment frequencies, contract start and end dates and renewal dates. This data may be entered by you directly or extracted from your uploaded documents.
Billing data Your Stripe customer ID, subscription status and plan type so that we can manage your subscription. We do not store your payment card details - these are held securely by our payment processor, Stripe, in accordance with PCI DSS standards.
Integration data When you connect third-party services such as Xero, QuickBooks or Google Drive, we store OAuth access tokens and refresh tokens necessary to maintain the connection and synchronise data on your behalf. When you connect Google Drive, we also access file metadata (names, types, sizes) and file contents from your selected folder, as well as your Google account email address to display which account is connected. See Section 6 for full details on our use of Google API data.
Technical data Session tokens, trusted device tokens, IP addresses and browser information collected automatically when you access the Service. This data is necessary for authentication, security and the proper functioning of the platform.
Communications Emails sent to your Savvi inbox email address for the purpose of document upload, as well as transactional emails we send to you, including welcome emails, password reset emails and two-factor authentication codes.
Usage data Your preferences such as table column settings and dismissed banners, as well as activity logs recording actions taken on profiles and supplier accounts within the Service.
How We Collect Data
We collect your personal data through the following means:
Directly from you When you create an account, upload documents, enter information manually, update your profile details or connect third-party integrations. You provide this data voluntarily through your use of the Service.
Automatically Through cookies and session tokens when you use our Service. We collect technical data such as session identifiers and trusted device tokens to authenticate your access and maintain security.
From third parties Via Google when you sign in using Google authentication, including your name, email address and profile image. From Google Drive when you import files into Savvi. From Xero or QuickBooks when you synchronise your accounting data with the Service.
Through AI processing Data derived from your uploaded documents via our automated AI extraction systems. When you upload a document, our AI analyses its contents and extracts structured data such as supplier names, account numbers, dates and amounts.
Via inbound email When you send or forward documents to your unique Savvi inbox email address, we receive and process the email and any attachments for document upload and extraction.
Lawful Bases for Processing
Under Article 6 of the UK GDPR, we rely on the following lawful bases to process your personal data:
Performance of contract We process the following activities because they are necessary to provide you with the Savvi service:
Account creation and authentication
Document storage and organisation
AI document extraction and classification
Billing and subscription management
Transactional emails (welcome, password reset, two-factor authentication)
Consent We process the following activities only where you have given explicit consent:
Third-party integrations (Xero, QuickBooks, Google Drive) - you choose to connect each integration
Legitimate interest We process the following activities on the basis of our legitimate interest in operating a secure and functional service:
Activity logging and audit trails (security monitoring and service improvement)
Session and cookie management (necessary for secure operation of the service)
Third-Party Data Processors
We share your personal data with the following third-party processors who act on our behalf and under our instructions:
OpenAI / Google (Gemini) - United States AI document extraction and classification. We share document text and images.
Stripe - United States Payment processing. We share your email address and subscription data.
Mailgun (Sinch) - European Union Email delivery. We share email addresses and email content.
Google - United States Authentication via OAuth and Google Drive import at your direction. We receive your name, email address and profile image for authentication, and file metadata and contents for Drive imports. See Section 6 for full details.
Xero - Global Accounting software sync. We share supplier and bill data.
Intuit (QuickBooks) - United States Accounting software sync. We share supplier and bill data.
Serper - United States Supplier contact information lookup. We share supplier names only - no personal data.
Cloud storage provider - Configured per deployment Document file storage. We share uploaded document files.
Google API Services & User Data
Savvi uses Google API Services to provide Google authentication and Google Drive import functionality. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
What Google data we access When you connect Google authentication, we receive your name, email address and profile image. When you connect Google Drive, we access file metadata (names, types, sizes) and file contents from your selected folder, as well as your Google account email address to display which account is connected.
How we use Google user data We use Google authentication data solely to create and manage your Savvi account. We use Google Drive data solely to import documents into your Savvi document library at your explicit direction. We do not use Google user data for any purpose other than providing and improving the features you use within Savvi.
How we share Google user data The content of documents imported from Google Drive is sent to our AI providers (OpenAI or Google Gemini) for extraction and classification, under data processing agreements. This is the same processing applied to all documents in Savvi, regardless of how they were uploaded. No other third parties receive your Google Drive data.
Limited Use disclosure In accordance with Google's Limited Use requirements, we confirm that we do NOT use Google user data for:
Serving advertisements or retargeting
Selling or transferring data to third parties, except as necessary for the app's core document-processing functionality described above
Determining creditworthiness or for lending purposes
Surveillance
Training generalised artificial intelligence or machine learning models unrelated to the user's specific use of the app
Human access to Google user data is limited to situations where the user has given affirmative consent, it is necessary for security purposes (such as investigating abuse), it is required to comply with applicable law, or our use is limited to internal operations and the data has been aggregated and anonymised.
Revoking access and deleting Google data You can disconnect Google Drive at any time from your Savvi integration settings. When you disconnect, we revoke the OAuth tokens with Google and delete them from our database, and Savvi loses all further access to your Google Drive. Documents that were previously imported from Google Drive remain in your Savvi account until you choose to delete them, as they have been incorporated into your document library.
You can also revoke Savvi's access externally at any time by visiting your Google Account permissions page.
International Data Transfers
Some of our third-party processors are located outside the United Kingdom. Where we transfer your personal data to processors in the United States, we rely on the UK-US Data Bridge (the UK Extension to the EU-US Data Privacy Framework) as our transfer mechanism.
We ensure that all processors to whom we transfer data provide adequate safeguards for your personal data in accordance with UK GDPR. Where applicable, we implement supplementary measures such as Standard Contractual Clauses to protect your data during international transfers.
Data Retention
We retain your personal data only for as long as necessary for the purposes set out in this policy. Our specific retention periods are as follows:
Active accounts - Your data is retained for as long as your account remains active and you continue to use the Service.
Deleted accounts - When you delete your account, your data is soft-deleted and remains recoverable for 30 days. After 30 days, your data is permanently deleted from our systems, including all documents, profiles, supplier accounts and associated records.
Session tokens - Expire according to their configured lifetime.
Trusted device tokens - Expire after 30 days.
OAuth state tokens - Expire after 10 minutes.
Password reset tokens - Expire after 1 hour.
Integration tokens - Retained while the integration is connected to your account. When you disconnect an integration, the associated tokens are deleted immediately.
9. Your Rights Under UK GDPR
Under the UK GDPR, you have the following rights in relation to your personal data:
Right of access You have the right to request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR). We will provide your data in a commonly used electronic format.
Right to rectification You have the right to request that we correct any inaccurate personal data we hold about you, or complete any incomplete data.
Right to erasure You have the right to request the deletion of your personal data (also known as the "right to be forgotten"). You can exercise this right by deleting your account through the Service, or by contacting us directly.
Right to restrict processing You have the right to request that we limit how we use your data in certain circumstances, for example while we investigate a complaint you have made.
Right to data portability You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to transmit that data to another controller.
Right to object You have the right to object to our processing of your personal data where we rely on legitimate interest as our lawful basis. We will stop processing unless we can demonstrate compelling legitimate grounds that override your rights.
Rights related to automated decision-making Our AI extraction system processes your documents automatically to extract and classify data. You have the right to request human review of any AI-processed data, which you can do through our inbox review system. AI extraction results include confidence scores, and items flagged for review are presented for your manual verification before being applied to your records.
To exercise any of these rights, please contact us at privacy@savvibills.com. We will respond to your request within one month of receipt. In exceptional circumstances, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for it.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated. You can contact the ICO at ico.org.uk.
Cookies and Similar Technologies
We use cookies and similar technologies that are strictly necessary for the operation of the Service.
Essential cookies
savvi-customer-session - Authenticates your session. Duration: browser session.
savvi-trusted-device - Remembers trusted devices for two-factor authentication. Duration: 30 days.
xero_oauth_state - Verifies Xero integration OAuth flow. Duration: 10 minutes.
qbo_oauth_state - Verifies QuickBooks integration OAuth flow. Duration: 10 minutes.
gdrive_oauth_state - Verifies Google Drive integration OAuth flow. Duration: 10 minutes.
Local storage In addition to cookies, we use browser localStorage for functional preferences. Items such as savvi_column_prefs_* (table column display settings) and savvi_banner_dismissed (dismissed notification banners) are stored locally on your device. These do not track you across websites and are used solely to remember your interface preferences.
We do not use analytics cookies, advertising cookies or marketing cookies. We do not engage in cross-site tracking of any kind.
Security Measures
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it:
Passwords are hashed using bcrypt with a cost factor of 12, ensuring they cannot be reversed or read by anyone, including our staff.
Sessions use JSON Web Tokens (JWT) with token versioning, enabling instant invalidation of all active sessions when required for security purposes.
Webhook payloads from third-party services are verified using HMAC-SHA256 signatures to prevent tampering and ensure authenticity.
Document access uses pre-signed URLs that expire after 15 minutes, ensuring that file links cannot be shared or reused beyond a short window.
Optional two-factor authentication is available via email codes or authenticator app (TOTP), providing an additional layer of security for your account.
All data is transmitted over HTTPS/TLS encryption, protecting your information in transit between your browser and our servers.
Distributed locking mechanisms prevent concurrent data corruption during parallel processing operations, maintaining the integrity of your records.
12. Children
Savvi is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you believe that we may have collected data from someone under 18, please contact us at privacy@savvibills.com.
Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. Where we make material changes to this policy, we will notify you by email to the address associated with your account.
Your continued use of the Savvi service after notification of changes constitutes your acceptance of the updated policy. We encourage you to review this policy periodically to stay informed about how we protect your data.
Contact
If you have any questions, concerns or requests regarding this privacy policy or your personal data, please contact us:
Stack Zero Limited, trading as Savvi Company number: 09373967 Registered address: Bridge Farm, Holt Lane, Ashby Magna, LE17 5NJ Email: privacy@savvibills.com
