Privacy Policy

1. Who We Are

CoreFi is a trading name of JG Core Ltd, a company registered in England and Wales (Company #16218779).

We are the data controller for your personal data. If you have questions about this policy or your data, contact us at: legal@corefi.app

2. What Data We Collect

We collect the following categories of personal data:

• Identity Data: Name, email address, password (hashed)
• Financial Data: Bank account names, account types, balances, and transaction history (obtained via Open Banking - see Section 6)
• Investment & Crypto Data: Investment holdings, transaction records (buys, sells, swaps, staking rewards), cryptocurrency wallet addresses, and portfolio valuations
• Tax Data: Self Assessment return data, tax obligations, tax risk snapshots, and HMRC Government Gateway connection tokens (encrypted at rest with AES-256-GCM - see Section 7)
• Business Data: Business entity names, company details, financial statements synced from Xero, and valuation parameters
• Receipt & Document Data: Expense receipt images uploaded to the Receipt Vault, retained for up to 6 years for HMRC compliance
• Subscription Data: Subscription tier, payment status, billing history
• Usage Data: Pages visited, features used, session duration, education course progress
• Technical Data: IP address (hashed for referral deduplication), browser type, device type, operating system
• Preference Data: Theme settings, notification preferences, dashboard configuration
• Referral Data: Referral source code and landing page (stored in a cookie for 90 days if you arrive via a partner link - see our Cookie Policy)
• Leaderboard & Marketplace Data: If you opt in, anonymised financial metrics for leaderboard rankings; marketplace loan listings and interest expressions
• AI-Generated Insights: Behavioural spending patterns, income stability scores, and cash flow forecasts derived from your financial data (processed on our servers using rule-based algorithms, not sent to third-party AI services)
• Video Data: Financial recap videos generated from your data (rendered server-side for Premium users via AWS Lambda)

3. How We Use Your Data

We process your data for the following purposes and legal bases:

4. Who We Share Data With

We share your data with the following third-party processors:

Where data is transferred outside the UK, we ensure appropriate safeguards are in place (UK adequacy decisions or Standard Contractual Clauses).

AI processing: All AI-powered insights (spending categorisation, behavioural analysis, income stability, cash flow forecasting) are processed on our own servers. We do not send your financial data to any third-party AI or large language model provider.

5. Data Retention

• Account data: Retained while your account is active, deleted within 90 days of account closure
• Financial data (bank, investments): Retained while your account is active, deleted within 90 days of account closure or consent revocation
• Transaction data: Up to 7 years where required for tax purposes, otherwise deleted with account
• Receipt images: Up to 6 years from the tax year they relate to (HMRC record-keeping requirement), then deleted
• HMRC tokens: Encrypted tokens retained while your HMRC connection is active; deleted immediately on disconnection
• Xero tokens: Encrypted tokens retained while your Xero connection is active; deleted immediately on disconnection
• Self Assessment data: Retained for 7 years from the tax year (aligned with HMRC record-keeping requirements)
• Video exports: Stored for 90 days after generation, then deleted
• Referral tracking data: Retained for commission attribution for the lifetime of the partner relationship, anonymised after account closure
• Technical logs: 90 days
• Marketing consent records: Retained for the duration of consent plus 2 years

6. Open Banking & TrueLayer

CoreFi connects to your bank accounts through TrueLayer, which is authorised and regulated by the Financial Conduct Authority (FCA) as an Account Information Service Provider (AISP), Firm Reference Number: 901096.

When you connect a bank account:

• You authenticate directly with your bank - we never see, access, or store your bank login credentials
• TrueLayer retrieves your account information (balances, transactions) on our behalf
• We store this data in encrypted form to provide you with the CoreFi service
• You can revoke access at any time via: the CoreFi app, your banking app, or by contacting your bank directly

7. HMRC Government Gateway

If you choose to connect your HMRC Government Gateway account:

• You authenticate directly with HMRC via OAuth2 with PKCE - we never see or store your Government Gateway credentials
• We retrieve Self Assessment and VAT data (obligations, liabilities, payments, penalties) on your behalf
• HMRC access tokens are encrypted at rest using AES-256-GCM
• We send legally-required Fraud Prevention headers with each HMRC API request (device type, timezone, IP - as required by HMRC's Making Tax Digital regulations)
• You can disconnect at any time from the Tax Risk dashboard, which immediately deletes stored tokens

8. Xero Integration

If you connect Xero to track business financials:

• You authenticate directly with Xero via OAuth2
• We retrieve balance sheet and profit & loss data for your connected organisations
• We do not access or modify your Xero accounting records - access is read-only
• You can disconnect at any time from Settings, which revokes the token

9. Investment & Cryptocurrency Data

• Investment transactions, holdings, and wallet addresses you enter are stored in our database
• Crypto tax calculations (Section 104 pooled cost, same-day, 30-day rules) are performed on our servers using your transaction data
• We fetch current asset prices from CoinGecko and other price services - only asset identifiers are sent, never your personal or financial data
• Cryptocurrency wallet addresses are stored to help you organise your portfolio; we do not perform on-chain lookups or store private keys

10. Document & Statement Uploads

If you upload bank statements, credit card statements, mortgage documents, or other financial files for parsing and analysis:

• Processed exclusively on CoreFi infrastructure - uploaded documents are parsed on our own servers. We do not send your documents to any third-party service, AI provider, or external API for analysis
• No third-party AI processing - statement parsing uses rule-based algorithms running on CoreFi servers. Your financial documents are never sent to OpenAI, Google, or any other external AI service
• You verify before we store - parsed data is presented to you for review before being saved to your account. You control what gets added to your financial profile
• Source files deleted after processing - once you have verified and confirmed the parsed data, the original uploaded file is deleted from our servers. We retain only the structured financial data you approved, not the source document
• Encrypted during processing - uploaded files are encrypted in transit (TLS 1.3) and at rest while temporarily stored for parsing

11. Your Rights

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

• Right of access - request a copy of your personal data
• Right to rectification - correct inaccurate data
• Right to erasure - request deletion of your data (“right to be forgotten”)
• Right to restrict processing - limit how we use your data
• Right to data portability - receive your data in a structured, machine-readable format (CSV/JSON export is available from Settings)
• Right to object - object to processing based on legitimate interests
• Right to withdraw consent - withdraw consent for Open Banking, HMRC, Xero, or marketing at any time
• Rights related to automated decision-making - we do not make decisions based solely on automated processing that produce legal effects

To exercise any of these rights, email legal@corefi.app. We will respond within 30 days.

12. Data Security

• All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• HMRC and Xero access tokens are additionally encrypted with AES-256-GCM using dedicated encryption keys
• Authentication uses industry-standard hashing (bcrypt)
• Row-Level Security (RLS) policies ensure users can only access their own data
• API access is protected with scoped OAuth2 keys, rate limiting, and optional IP allowlisting
• Regular security reviews and dependency updates
• We will notify the ICO and affected users within 72 hours of any data breach

13. Children's Data

CoreFi is intended for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe we have collected data from a minor, please contact us immediately.

14. Cookies

We use cookies and similar technologies. For full details, see our Cookie Policy.

15. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or via the app. The “last updated” date at the top reflects the most recent version.

16. Complaints

If you are unhappy with how we handle your data, please contact us first at legal@corefi.app.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

17. FCA Disclosure

CoreFi is not regulated by the Financial Conduct Authority (FCA). We do not provide personal financial advice, investment advice, tax advice, or any form of regulated financial advice.

Bank account connections are powered by TrueLayer, which is authorised and regulated by the FCA (Firm Reference Number: 901096).