Privacy Policy

Definitions

For this Privacy Policy:

• Personal Data means information that identifies you, or can be used to identify you (for example, name, email address, or online identifiers).
• Account Information means data about your bank or credit accounts (for example, balances and transactions) when you choose to connect accounts.
• ASPSP (Account Servicing Payment Service Provider) means your bank or card issuer that provides your account.
• Special Category Data means sensitive personal data with extra legal protection (for example, health, ethnicity, religion). We do not aim to collect this, but it may appear if you include it in support communications.

What data we collect

Information you give us

Depending on how you use the Services, this may include:

• Contact details (for example, name and email)
• Account and profile details you create within Arthur (if applicable)
• Support communications and any information you include in those messages

Information collected automatically on our website

We may collect:

• Device and technical data (IP address, browser type, operating system, language)
• Usage data (pages viewed, clicks, time on site, referring pages)
• Cookies and similar technologies (see section 12)

Information from third parties (including Open Banking, when enabled)

If you choose to connect accounts, we may receive Account Information such as:

• Account identifiers and metadata provided by your bank or provider (not your bank password)
• Balances
• Transaction history (date, description, amount, and related metadata)

Important: We do not ask for or store your online banking username or password. Authentication takes place through your bank's own authorisation flow.

How we use your data

We use personal data to:

• Provide the Services and manage your account
• Respond to support requests and communicate with you
• Maintain, secure, and troubleshoot the website and platform
• Understand usage and improve the product (including analytics)
• Prevent fraud, abuse, and security incidents
• Comply with legal obligations and enforce our terms

Our lawful bases (UK GDPR)

Depending on the activity, we rely on one or more lawful bases:

• Contract: to provide the Services you request
• Legitimate interests: to operate, secure, and improve the Services, balanced against your rights
• Consent: for non-essential cookies and certain optional features
• Legal obligation: when the law requires us to process data

Open Banking / account connectivity (important)

Arthur may offer account connectivity features. Arthur is not currently authorised or regulated by the FCA as an AISP. Instead, account connectivity is provided through a regulated Open Banking partner (an FCA-authorised Account Information Service Provider, “AISP”).

When this feature is enabled:

• You provide explicit consent through the Open Banking consent journey
• Your bank handles authentication and permissions
• We receive Account Information only to the extent you authorise and only for the purposes in this policy
• You can usually disconnect accounts at any time in Arthur and/or through your bank's connected apps area (depending on your bank)

Open Banking partner: Pending (we will list the provider once selected).

Automated processing and profiling

We may use software to support features such as:

• Transaction categorisation and description cleanup
• Recurring payment and potential duplicate detection
• Summaries and insights (for example, spending trends)

These processes support product functionality. If we introduce automated decisions that produce legal or similarly significant effects, we will explain this clearly and provide safeguards such as the ability to request human review.

How long we keep your data (retention)

We keep personal data only for as long as needed for the purposes in this policy, including security and legal requirements.

Typical retention periods (which may vary by context) include:

• Website logs and security events: typically 30-180 days
• Analytics data: according to configured settings (often up to 14 months)
• Support messages: typically up to 24 months
• Account data (if applicable): while your account is active, then for a limited period after closure (for example, 30-180 days), unless longer retention is needed for legal or security reasons
• Open Banking data (if enabled): while the connection is active and for a short period after disconnection, unless longer retention is required for legal or security reasons

We may retain anonymised data for longer when it can no longer be linked back to you.

Sharing your data

We do not sell your personal data.

We may share personal data with trusted providers who help us operate Arthur, including:

• Infrastructure and platform providers
• Vercel (hosting and deployment)
• Firebase (authentication, database, and related services)
• Google Analytics (website usage measurement, where enabled and consented)

We may also disclose personal data:

• When required by law, court order, or regulatory request
• To protect our rights, users, and service security
• During a business transaction (for example, merger or acquisition), with safeguards

Where we use service providers, we require them to protect personal data and process it only for agreed purposes.

International transfers

Some suppliers (including Firebase and Google) may process data outside the UK. Where personal data is transferred internationally, we apply appropriate safeguards (such as contractual protections) to help keep your data protected.

Keeping your information secure

We use technical and organisational measures to protect personal data, including access controls, encryption in transit where available, and security monitoring. No system is completely secure, but we continuously work to reduce risk and prevent unauthorised access.

Cookies and Google Analytics

We use cookies and similar technologies to:

• Keep the website functioning properly and securely (strictly necessary cookies)
• Measure and improve performance (analytics cookies), where enabled

We may use Google Analytics to understand how visitors use the site. Where required, we request consent for analytics cookies through a cookie banner.

You can manage cookies by:

• Using our cookie banner or settings (if available)
• Adjusting your browser settings to block or delete cookies

Blocking strictly necessary cookies may affect website functionality.

Your rights

Depending on your circumstances, you may have rights to:

• Access personal data
• Correct inaccurate data
• Request deletion (where applicable)
• Restrict processing
• Object to processing, especially where based on legitimate interests
• Data portability (where applicable)
• Withdraw consent at any time where processing is based on consent

To exercise your rights, contact Privacy@arthur-app.com. We may ask for information to verify your identity.

Complaints

If you are unhappy with how we handle personal data, contact us first at Privacy@arthur-app.com so we can try to resolve the issue.

You also have the right to complain to the UK supervisory authority, the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint.

Changes to this policy

We may update this Privacy Policy from time to time. We will publish updates on this page and revise the “Last updated” date below. If changes are material, we may provide additional notice.

Related documents: Terms, Cookie Policy, and Data Protection & ICO.

Last updated 15 February 2026