This Privacy Policy explains how ValueAmp Advisory Ltd ("ValueAmp", "we", "us", "our") collects, uses, stores, and protects your personal data when you use our platform at app.valueamp.co.uk. We are committed to protecting your privacy in accordance with the UK GDPR, the Data Protection Act 2018, and applicable EU data protection law.
1. Who We Are
ValueAmp Advisory Ltd is the data controller responsible for your personal data. We operate a financial intelligence platform providing management accounts, forecasting, and value creation tools to UK SMEs and PE portfolio companies.
Registered in England and Wales. For data protection enquiries, contact us at: privacy@valueamp.co.uk
2. Data We Collect
2.1 Account & User Data
- Email address (required for account creation and login)
- Full name (provided during registration or invite acceptance)
- Profile avatar (optional)
- Role and access permissions (admin, analyst, viewer)
- Login timestamps and session activity
- IP address (collected by Supabase Auth at sign-in)
2.2 Employee Data (uploaded by your organisation)
Where your organisation uploads employee information for use in the People module, we process: full name, job title, department, start/leave dates, salary, employment type, and FTE fraction. This data is provided by you and processed under your instruction as data processor.
2.3 Financial Data
Your organisation uploads financial data (trial balances, budgets, forecasts, customer revenue, and commercial data). This data belongs to your organisation. We process it solely to provide the platform services.
2.4 Usage & Technical Data
- Browser type and version
- Device type (desktop, mobile)
- Pages visited and features used within the platform
- Error logs and diagnostic data
2.5 Data We Do Not Collect
- Payment card details (we do not currently process payments through the platform)
- Government ID numbers or National Insurance numbers
- Biometric or health data
- Data relating to individuals under 18
3. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the platform and services | Account data, financial data, employee data | Contract performance |
| User authentication and access control | Email, role, session data | Contract performance |
| Sending invite and password reset emails | Email address | Contract performance |
| Improving platform functionality | Usage data, error logs | Legitimate interests |
| Security monitoring and fraud prevention | IP address, login activity | Legitimate interests |
| Communicating service updates | Email address | Legitimate interests |
| Legal and regulatory compliance | All data as required | Legal obligation |
4. Legal Basis for Processing
We rely on the following legal bases under UK GDPR Article 6:
- Contract performance (Article 6(1)(b)): processing necessary to provide you with the services you have contracted for
- Legitimate interests (Article 6(1)(f)): improving our services, ensuring platform security, and communicating relevant updates โ where these interests are not overridden by your rights
- Legal obligation (Article 6(1)(c)): where we are required to process data to comply with applicable law
- Consent (Article 6(1)(a)): for optional communications beyond those required to deliver the service โ where we obtain your explicit consent
6. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Active user account data | Duration of account + 30 days post-deletion | Contract performance |
| Financial data (TB, budgets, forecasts) | Duration of subscription + 12 months | Contract performance / legitimate interests |
| Employee data | Duration of subscription + 12 months | Contract performance |
| Authentication logs (login timestamps, IP) | 90 days | Security / legitimate interests |
| Error logs and diagnostic data | 30 days | Legitimate interests |
| Deleted user data | Removed within 30 days of account deletion | Data minimisation |
You may request earlier deletion of your personal data under your rights described in Section 8. We will action deletion requests within 30 days unless we have a legal obligation to retain the data.
7. Data Residency & International Transfers
โ Your data stays in the EU
All financial and personal data is stored in Supabase Cloud, hosted in eu-west-2 (AWS Dublin, Ireland). This is within the European Economic Area and does not require any international transfer mechanism under UK GDPR Chapter V or EU GDPR.
Vercel (our hosting provider) and Cloudflare (our DNS provider) are US-based. We rely on Standard Contractual Clauses (SCCs) and Vercel/Cloudflare's UK/EU data transfer mechanisms for any processing that occurs outside the EEA. In practice, all financial data at rest remains in Dublin.
8. Your Rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Receive a copy of all personal data we hold about you | Email privacy@valueamp.co.uk |
| Rectification | Correct inaccurate or incomplete data | Update in Settings, or email us |
| Erasure | Request deletion of your personal data ("right to be forgotten") | Email privacy@valueamp.co.uk |
| Restriction | Restrict processing of your data in certain circumstances | Email privacy@valueamp.co.uk |
| Portability | Receive your data in a machine-readable format | Email privacy@valueamp.co.uk |
| Objection | Object to processing based on legitimate interests | Email privacy@valueamp.co.uk |
| Withdraw consent | Withdraw consent where processing is consent-based | Email privacy@valueamp.co.uk |
| Automated decisions | Not be subject to solely automated decision-making with legal effects | N/A โ we do not use automated decision-making |
We will respond to all valid requests within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
9. Security
We take the security of your data seriously and implement appropriate technical and organisational measures including:
- All data transmitted over HTTPS/TLS 1.2+ (enforced at Cloudflare edge)
- Database-level Row Level Security (RLS) โ your data cannot be accessed by other tenants even if application code were compromised
- JWT-based session tokens with short expiry (1 hour)
- Passwords hashed using bcrypt via Supabase Auth
- Access controls: role-based permissions limit data visibility within your organisation
- Service role key (unrestricted DB access) used only in server-side API routes, never exposed to browsers
- Daily automated database backups by Supabase
No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@valueamp.co.uk.
11. Children's Privacy
ValueAmp is a professional B2B platform. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has submitted personal data to us, please contact privacy@valueamp.co.uk and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify registered users by email and update the "Last updated" date at the top of this page.
Continued use of the platform after changes take effect constitutes acceptance of the updated policy.
13. Contact Us
Data Controller
ValueAmp Advisory Ltd
ValueAmp Advisory Ltd, England & Wales
Email: privacy@valueamp.co.uk
Platform: app.valueamp.co.uk
If you have a complaint, you also have the right to contact the Information Commissioner's Office (ICO): ico.org.uk
ยฉ 2026 ValueAmp Advisory Ltd