PRIVACY
Privacy policy
Phase 0 — early access. Last updated June 2026.
What this covers
CISflow is in early-access. This page explains, plainly and honestly, what data we handle, who processes it, what we keep and for how long, and your rights. It is written to be accurate about how the product actually works today — not aspirationally. It is a starting point and will be expanded as we grow; it is not formal legal advice, and we are having it reviewed.
What data we collect
Two kinds of data:
1. Invoice content.When you upload or forward a subcontractor invoice, it contains personal and financial data — the subcontractor's name and UTR (a tax identifier), and figures such as the labour/materials split, VAT, deduction rate and net pay. We read this to extract the CIS fields.
2. Account & contact data. The email address you sign up with, your business/practice details for your CIS statements (business name, your UTR, Accounts Office and PAYE references, trading address), and any message you send us.
How invoice content is processed (and where)
To read the figures off an invoice, CISflow sends the invoice content to OpenRouter, a third-party AI provider based in the United States, which runs the vision/AI model that extracts the fields. This means invoice content — including the personal data and tax identifiers it contains — is transferred to and processed in the US for that step. We disclose this transfer openly. We are working towards routing this to a UK/EU-region model to remove the transfer; until then, it relies on the standard international-transfer safeguards our providers operate under (see sub-processors below).
What we keep, and what we don't
We do not store the raw uploaded invoice files as a permanent archive — they are used for the extraction step and not retained long-term.
We do retain the extracted CIS records (the structured fields — subcontractor, UTR, labour/materials, deduction, net pay, and the bills/statements built from them) inside your account, so your CIS300 and monthly statements work. This data is stored in our database hosted in the UK region (London / eu-west-2). Your account and contact data are stored the same way.
Sub-processors
We use a small number of trusted providers to run CISflow. Each only receives the data it needs for its job:
Supabase — database, authentication and storage of your account and extracted CIS records (hosted UK region, London / eu-west-2).
OpenRouter — AI extraction of invoice content (United States). This is the step where invoice content leaves the UK.
Vercel — application hosting and cookieless analytics (US-based platform, global edge).
Stripe — subscription billing and payment processing (we never see or store your full card details).
Resend — transactional email (e.g. account and contact emails), where enabled.
We'll keep this list current as the product changes.
Why we're allowed to process it (lawful basis)
For processing invoice content and account data to provide the service you signed up for, our lawful basis is performance of a contract (delivering CISflow to you) and our legitimate interestsin operating and improving the tool. For any marketing email you'd only receive it where you've opted in. Where you use CISflow on behalf of your own clients' data, you are the controller of that data and CISflow acts as your processor.
How long we keep it
We keep your extracted CIS records and account data for as long as your account is active, so your statements and CIS300 figures stay available to you. If you close your account, deleting it removes your data — account deletion cascades and removes the associated records (see your rights, below). Raw uploaded files are not retained beyond the extraction step. Contact messages are kept only as long as needed to answer you.
Your rights
Under UK GDPR you can ask us what personal data we hold about you (access), ask us to correct it, and ask us to delete it. Deleting your account cascade-removes the data tied to it. To exercise any of these, email us (below) and we'll action it. You can also complain to the ICO if you're unhappy with how we've handled your data.
Security
Data is encrypted in transit and at rest, your data is isolated to your own account, and our database access is row-level enforced so one account can never read another's. ISO 27001 and Cyber Essentials are not yet held — they are in progress and targeted before a wider launch, and we will not claim them until they are formally in place. ICO registration and a written data-processing agreement are on our to-do list and not yet completed; we're being upfront about that rather than implying they already exist.
Analytics — cookieless and privacy-friendly
We use Vercel Web Analytics and Speed Insights to understand which pages are used and how fast they load. These are cookieless: they set no tracking cookies, build no cross-site profile, and do not sell or share your data. Because no cookies or personal profiles are involved, no consent banner is legally required — the small notice you may have seen is a courtesy. We use this only to improve the product.
You stay in control
CISflow never posts a figure without your approval, and you remain responsible for everything filed with HMRC. CISflow is a data-entry tool, not an accountancy or tax service.
Contact
Questions about your data? Email hello@cisflow.app.