Privacy Policy

1. Who We Are

ThomoAI Ltd (“ThomoAI”, “we”, “us”, “our”) is a company registered in England and Wales under company number 17144197. Our registered office is at 17 Plumbers Row, London, E1 1EQ.

We are registered with the Information Commissioner’s Office (ICO) under registration number 00013710011 as a data controller. This means we determine how and why your personal data is processed.

If you have any questions about this Privacy Policy or how we handle your data, contact us at support@thomo.ai.

2. What Data We Collect

We collect the following categories of personal and business data when you use ThomoAI:

• Account data — your name, email address, business name, and account login credentials when you register.
• Business and financial data — bank transaction history, account balances, income and expense patterns, VAT and tax estimates, and any invoice data you create or import within the Service. This data is retrieved from your connected bank account on a read-only basis via Open Banking.
• Usage data — information about how you use the Service, including features accessed, screens viewed, actions taken, session duration, and device and browser information.
• Communication data — messages you send to our support team, responses to in-app prompts, and any feedback or information you voluntarily provide to Thomo through the AI chat interface.
• Payment data — billing name, address, and payment method details. We do not store your full card number. Payment data is handled directly by Stripe, our payment processor, under their own privacy policy.
• Technical data — IP address, device type, operating system, browser type, and unique device identifiers.

3. How We Collect Your Data

We collect data in the following ways:

• Directly from you when you register, connect your bank account, use the Service, contact support, or interact with the Thomo AI chat interface.
• Automatically when you use the Service, through cookies, analytics tools, and server logs.
• From your bank via Open Banking, when you grant ThomoAI permission to access your account information on a read-only basis.
• From third-party services we integrate with, such as our authentication provider and analytics platform, where you have authorised such sharing.

4. Why We Process Your Data and the Legal Basis

We process your data for the following purposes, each supported by a legal basis under the UK GDPR:

• To provide the Service — processing your financial data to generate forecasts, alerts, tax estimates, and AI insights. Legal basis: performance of a contract with you.
• To manage your account — creating and maintaining your account, processing payments, handling cancellations. Legal basis: performance of a contract with you.
• To improve ThomoAI — analysing aggregated, anonymised usage patterns to improve our product, fix bugs, and develop new features. Legal basis: our legitimate interests in improving our Service, provided this does not override your rights.
• To communicate with you — sending service emails, weekly briefings, alerts, and important account notifications. Legal basis: performance of a contract with you and, for marketing communications, your consent.
• To comply with legal obligations — maintaining records as required by HMRC, responding to lawful requests from authorities, and complying with our obligations under the Data Protection Act 2018 and UK GDPR. Legal basis: compliance with a legal obligation.
• To protect against fraud and misuse — monitoring for suspicious activity and protecting the security of the Service. Legal basis: our legitimate interests in protecting ThomoAI and its users.

5. How We Use Your Financial Data Specifically

Your bank transaction data is the core of what ThomoAI does. We use it to generate your cash flow forecasts, categorise your income and expenses, calculate your estimated VAT and Corporation Tax position, identify patterns and anomalies in your business finances, and power the Thomo AI chat interface’s responses to your questions.

We do not sell your financial data to any third party. We do not use your identifiable financial data to train AI models without your explicit consent. We do not share your transaction data with advertisers.

Aggregated, anonymised financial patterns may be used to improve ThomoAI’s forecasting models. This data cannot be used to identify you or your business.

6. Who We Share Your Data With

We share data only where necessary to provide the Service or comply with legal requirements. We do not sell your data.

Service providers

We use carefully selected third-party providers to operate ThomoAI, including our payment processor (Stripe), authentication provider (Clerk), email delivery provider (Resend), cloud hosting provider (Vercel), database provider, and analytics provider (PostHog). Each provider acts as a data processor under our instruction and is bound by data processing agreements. They may not use your data for their own purposes.

AI processing

The Thomo AI chat interface is powered by Anthropic’s Claude API. When you interact with Thomo, your questions and relevant account context are sent to Anthropic’s API for processing. Anthropic processes this data under a data processing agreement and does not use your data to train their models under our commercial agreement.

Legal and regulatory

We may disclose your data to law enforcement, regulatory bodies, or courts where required by law or to protect ThomoAI’s legal rights.

Business transfers

In the event of a merger, acquisition, or sale of ThomoAI, your data may be transferred to the acquiring entity. We will notify you before any such transfer and provide you with the opportunity to delete your account.

We do not transfer your personal data outside the UK or European Economic Area except where we have ensured appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

7. Cookies and Tracking

ThomoAI uses cookies and similar tracking technologies to operate the Service, remember your preferences, analyse usage, and improve your experience.

• Strictly necessary cookies — required for the Service to function. These cannot be disabled.
• Analytics cookies — help us understand how users interact with ThomoAI so we can improve it. These are set only with your consent.
• Preference cookies — remember your settings and choices within the Service.

You can manage your cookie preferences at any time through your browser settings or through our cookie consent tool. Disabling certain cookies may affect the functionality of the Service.

8. Data Retention

We retain your personal data for as long as your account is active. Following account closure:

• Financial and transaction data is retained for 6 years in compliance with HMRC record-keeping requirements applicable to UK businesses.
• Account and identity data is retained for 2 years following closure to handle any account-related queries or disputes.
• Support communications are retained for 2 years.
• Anonymised, aggregated usage data may be retained indefinitely for product improvement purposes.

You may request deletion of non-statutory data at any time by contacting support@thomo.ai. We will action deletion requests within 30 days, subject to our legal retention obligations.

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of access — you may request a copy of the personal data we hold about you.
• Right to rectification — you may ask us to correct inaccurate or incomplete data.
• Right to erasure — you may ask us to delete your personal data where we no longer have a legal basis to hold it.
• Right to restriction — you may ask us to restrict processing of your data in certain circumstances.
• Right to data portability — you may request your data in a structured, commonly used, machine-readable format.
• Right to object — you may object to processing based on legitimate interests, including profiling for direct marketing.
• Right to withdraw consent — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, email us at support@thomo.ai. We will respond within one calendar month. We may need to verify your identity before processing your request.

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office at ico.org.uk or by calling 0303 123 1113.

10. Security

ThomoAI implements the following security measures to protect your data:

• All data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 encryption.
• Access to your data is restricted to authorised ThomoAI personnel on a need-to-know basis.
• We conduct regular security reviews and vulnerability assessments.
• We maintain an incident response plan and will notify affected users and the ICO in the event of a data breach within 72 hours of becoming aware of it, as required by law.

No method of transmission or storage is 100% secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security.

11. Children

ThomoAI is not directed at or intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data, please contact support@thomo.ai and we will delete it promptly.

12. Links to Third-Party Sites

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those sites and recommend reviewing their privacy policies before providing any personal information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the law, our data practices, or the Service. Where changes are material, we will notify you by email to your registered address or via in-app notification at least 14 days before the changes take effect.

The date at the top of this policy indicates when it was last updated. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.