Hales

Privacy Policy

Last updated: January 28, 2026

1. Introduction

Hales Finance ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our bill switching and financial management service.

We are registered in England and Wales and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We use Open Banking services regulated by the Financial Conduct Authority (FCA).

2. Data Controller

Hales Finance Ltd is the data controller for your personal data. You can contact us at:

3. Information We Collect

3.1 Information You Provide

  • Account Information: Email address for authentication and communication
  • Bill Information: Details of bills you add manually, including provider names, costs, and renewal dates
  • Preferences: Your automation settings, notification preferences, and reminder schedules
  • Uploaded Documents: Bill images or PDFs you upload for automated data extraction

3.2 Information from Open Banking

When you connect your bank account via Open Banking, we access:

  • Account holder name and account identifiers
  • Account balances (optional, for insights)
  • Transaction history (to detect recurring bills and payments)

Important: We only have read-only access. We cannot move money, make payments, or modify your accounts. Open Banking connections are provided by FCA-regulated Account Information Service Providers (AISPs).

3.3 Information Collected Automatically

  • Device information (type, operating system, browser)
  • IP address and approximate location (country level)
  • Usage data (pages visited, features used)
  • Analytics data via privacy-focused analytics (no cookies, no personal tracking)

4. How We Use Your Information

We use your information for the following purposes:

4.1 Service Delivery (Contractual Necessity)

  • Detecting and tracking your recurring bills
  • Finding better deals and quotes from providers
  • Executing bill switches on your behalf (when authorised)
  • Sending renewal reminders and savings alerts
  • Processing authentication and securing your account

4.2 Service Improvement (Legitimate Interest)

  • Analysing usage patterns to improve our service
  • Debugging errors and improving reliability
  • Developing new features based on user needs

4.3 Communications (Consent/Contractual)

  • Sending transactional emails (login links, switch confirmations)
  • Sending renewal reminders (based on your preferences)
  • Marketing communications (only with explicit consent)

5. Legal Basis for Processing

Under UK GDPR, we process your data based on:

  • Contract: Processing necessary to provide the service you signed up for
  • Consent: Where you explicitly agree (e.g., marketing, Open Banking connection)
  • Legitimate Interest: Service improvement and security, balanced against your rights
  • Legal Obligation: Where we must comply with applicable laws

6. Data Sharing

We share your data only in the following circumstances:

6.1 Service Providers

  • Open Banking Providers: Nordigen, TrueLayer, or Plaid to access your bank data (FCA-regulated)
  • Cloud Infrastructure: Railway.app for hosting, Cloudflare for security
  • Email Services: Resend for transactional emails
  • Payment Processing: Polar.sh for subscription billing
  • Error Tracking: Sentry for debugging (anonymised data)

6.2 Quote Providers

To find you better deals, we may share relevant bill details (anonymised where possible) with energy suppliers, insurance providers, and comparison services. This only occurs when you request quotes or enable automatic switching.

6.3 Legal Requirements

We may disclose data to comply with legal obligations, court orders, or government requests, or to protect our rights or safety.

We never sell your personal data to third parties.

7. Data Security

We implement industry-standard security measures:

  • 256-bit TLS encryption for all data in transit
  • Encryption at rest for stored data
  • Passwordless authentication (magic links) - no password storage
  • Regular security audits and penetration testing
  • Access controls and audit logging
  • EU/UK-based data centres

8. Data Retention

We retain your data for as long as your account is active, plus:

  • Account Data: Deleted within 30 days of account closure
  • Transaction Data: Retained for 6 years for regulatory compliance
  • Analytics Data: Aggregated and anonymised after 2 years
  • Uploaded Documents: Deleted within 90 days of processing

Open Banking connections automatically expire after 90 days and must be reauthorised by you.

9. Your Rights

Under UK GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time (without affecting prior processing)

To exercise these rights, email [email protected]. We will respond within 30 days.

10. Open Banking Specifics

Our Open Banking access is provided through FCA-regulated Account Information Service Providers (AISPs). Key points:

  • You authorise access directly with your bank
  • We only have read-only access to account information
  • We cannot make payments or move money
  • You can revoke access at any time via your bank or our settings
  • Connections expire after 90 days and require reauthorisation
  • Your bank credentials are never shared with us

11. Cookies and Tracking

We use minimal, privacy-focused tracking:

  • Essential Cookies: Session authentication only (required for login)
  • Analytics: Privacy-focused analytics (Umami) that does not use cookies or track individuals
  • No Third-Party Tracking: No advertising cookies, no social media tracking

12. International Transfers

Your data is primarily stored in the UK/EU. Where we use service providers in other countries (e.g., US-based cloud services), we ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs)
  • UK/EU adequacy decisions where applicable
  • Supplementary security measures as required

13. Children's Privacy

Our service is not intended for users under 18 years of age. We do not knowingly collect data from children. If you believe we have collected data from a minor, please contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification. The "Last updated" date at the top indicates when the policy was last revised.

15. Complaints

If you have concerns about how we handle your data, please contact us first at [email protected]. If you are not satisfied with our response, you have the right to lodge a complaint with:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113

16. Contact Us

For any questions about this Privacy Policy or your personal data: